Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1518426
MD5:4c128449b1492fc2ff49c431044d4b10
SHA1:b7b77ae75cd5adfa5aa1c49d48396f5b66a79441
SHA256:7c171a51686b7da6c4d9178093164888ff30f9be7b4e38412db3c8b98b595cd0
Tags:exeRemcosRATuser-jstrosch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Suspect Svchost Activity
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2712 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4C128449B1492FC2FF49C431044D4B10)
    • Windows Driver Server.exe (PID: 4600 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" MD5: 4C128449B1492FC2FF49C431044D4B10)
      • svchost.exe (PID: 6748 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • Windows Driver Server.exe (PID: 7360 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" MD5: 4C128449B1492FC2FF49C431044D4B10)
  • Windows Driver Server.exe (PID: 7508 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" MD5: 4C128449B1492FC2FF49C431044D4B10)
  • Windows Driver Server.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" MD5: 4C128449B1492FC2FF49C431044D4B10)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "5.20.120.177:2404:1", "Assigned name": "NeonLauncher", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Windows Driver Server.exe", "Startup value": "Enable", "Hide file": "Enable", "Mutex": "Rmc-HWAIZA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "_temp.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Enable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "Application path", "Audio folder": "Microsoft", "Connect delay": "0", "Copy folder": "Microsoft", "Keylog folder": "Microsoft"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    file.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      file.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        file.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        file.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
            C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aab8:$a1: Remcos restarted by watchdog!
              • 0x6b030:$a3: %02i:%02i:%02i:%03i
              C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeREMCOS_RAT_variantsunknownunknown
              • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64b7c:$str_b2: Executing file:
              • 0x65bfc:$str_b3: GetDirectListeningPort
              • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65728:$str_b7: \update.vbs
              • 0x64ba4:$str_b9: Downloaded file:
              • 0x64b90:$str_b10: Downloading file:
              • 0x64c34:$str_b12: Failed to upload file:
              • 0x65bc4:$str_b13: StartForward
              • 0x65be4:$str_b14: StopForward
              • 0x65680:$str_b15: fso.DeleteFile "
              • 0x65614:$str_b16: On Error Resume Next
              • 0x656b0:$str_b17: fso.DeleteFolder "
              • 0x64c24:$str_b18: Uploaded file:
              • 0x64be4:$str_b19: Unable to delete:
              • 0x65648:$str_b20: while fso.FileExists("
              • 0x650c1:$str_c0: [Firefox StoredLogins not found]
              Click to see the 1 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x134b8:$a1: Remcos restarted by watchdog!
                    • 0x13a30:$a3: %02i:%02i:%02i:%03i
                    0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 83 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      2.2.Windows Driver Server.exe.29a0000.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                        2.2.Windows Driver Server.exe.29a0000.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                          2.2.Windows Driver Server.exe.29a0000.2.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                            2.2.Windows Driver Server.exe.29a0000.2.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                            • 0x6aab8:$a1: Remcos restarted by watchdog!
                            • 0x6b030:$a3: %02i:%02i:%02i:%03i
                            2.2.Windows Driver Server.exe.29a0000.2.unpackREMCOS_RAT_variantsunknownunknown
                            • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                            • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                            • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                            • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                            • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                            • 0x64b7c:$str_b2: Executing file:
                            • 0x65bfc:$str_b3: GetDirectListeningPort
                            • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                            • 0x65728:$str_b7: \update.vbs
                            • 0x64ba4:$str_b9: Downloaded file:
                            • 0x64b90:$str_b10: Downloading file:
                            • 0x64c34:$str_b12: Failed to upload file:
                            • 0x65bc4:$str_b13: StartForward
                            • 0x65be4:$str_b14: StopForward
                            • 0x65680:$str_b15: fso.DeleteFile "
                            • 0x65614:$str_b16: On Error Resume Next
                            • 0x656b0:$str_b17: fso.DeleteFolder "
                            • 0x64c24:$str_b18: Uploaded file:
                            • 0x64be4:$str_b19: Unable to delete:
                            • 0x65648:$str_b20: while fso.FileExists("
                            • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                            Click to see the 103 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Suspect Svchost Activity
                            Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, ParentProcessId: 4600, ParentProcessName: Windows Driver Server.exe, ProcessCommandLine: svchost.exe, ProcessId: 6748, ProcessName: svchost.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HWAIZA
                            Sigma detected: Uncommon Svchost Parent Process
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, ParentProcessId: 4600, ParentProcessName: Windows Driver Server.exe, ProcessCommandLine: svchost.exe, ProcessId: 6748, ProcessName: svchost.exe
                            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2712, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HWAIZA
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, ParentProcessId: 4600, ParentProcessName: Windows Driver Server.exe, ProcessCommandLine: svchost.exe, ProcessId: 6748, ProcessName: svchost.exe

                            Stealing of Sensitive Information

                            barindex
                            Sigma detected: Remcos
                            Source: Registry Key setAuthor: Joe Security: Data: Details: BA 85 2F 38 05 92 EF F2 08 39 2A F4 3B 32 3D 60 22 09 EE 04 AB 19 53 44 1E D0 CB 58 40 62 0E D3 F4 35 A9 77 BC C9 06 1B D2 97 2C FD E1 55 68 8B A3 92 AD 2F 07 E0 40 D2 CE 44 E1 0C F2 0F 1A 65 58 29 3C B6 03 C7 74 A8 65 4E CA FF C3 BA 79 7A 84 8E 26 61 5C F1 64 0D 97 9A 5B 7E ED 71 84 4E 5C 4B 0F 36 69 0F FD BA 7C 0B 1F 93 48 D2 4F 15 F8 46 19 EA 3A B6 0C 87 FC 48 C7 FD 58 CF A0 4F 90 5E 7F DB A0 6F 45 3E 63 E4 4F D8 09 3C , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, ProcessId: 4600, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-HWAIZA\exepath

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-09-25T17:21:05.427080+020020365941Malware Command and Control Activity Detected192.168.2.7497005.20.120.1772404TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-09-25T17:21:07.565125+020028033043Unknown Traffic192.168.2.749701178.237.33.5080TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: file.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeAvira: detection malicious, Label: BDS/Backdoor.Gen
                            Found malware configuration
                            Source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "5.20.120.177:2404:1", "Assigned name": "NeonLauncher", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Windows Driver Server.exe", "Startup value": "Enable", "Hide file": "Enable", "Mutex": "Rmc-HWAIZA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "_temp.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Enable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "Application path", "Audio folder": "Microsoft", "Connect delay": "0", "Copy folder": "Microsoft", "Keylog folder": "Microsoft"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeReversingLabs: Detection: 81%
                            Multi AV Scanner detection for submitted file
                            Source: file.exeReversingLabs: Detection: 81%
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPED
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: file.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006838C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_006838C8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_004338C8
                            Source: file.exe, 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_eaf0e78b-4

                            Exploits

                            barindex
                            Yara detected UAC Bypass using CMSTP
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPED

                            Privilege Escalation

                            barindex
                            Contains functionality to bypass UAC (CMSTPLUA)
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00657538 _wcslen,CoGetObject,3_2_00657538
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00407538 _wcslen,CoGetObject,12_2_00407538
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0065928E
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0066C322
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0065C388
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006596A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_006596A0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00657877 FindFirstFileW,FindNextFileW,3_2_00657877
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00658847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00658847
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0069E8F9 FindFirstFileExA,3_2_0069E8F9
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0065BB6B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00669B86 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00669B86
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0065BD72
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49700 -> 5.20.120.177:2404
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 5.20.120.177
                            Source: global trafficTCP traffic: 192.168.2.7:49700 -> 5.20.120.177:2404
                            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                            Source: Joe Sandbox ViewASN Name: CGATES-ASLT CGATES-ASLT
                            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49701 -> 178.237.33.50:80
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.20.120.177
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
                            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                            Source: Windows Driver Server.exeString found in binary or memory: http://geoplugin.net/json.gp
                            Source: file.exe, Windows Driver Server.exe.0.drString found in binary or memory: http://geoplugin.net/json.gp/C
                            Source: Windows Driver Server.exe, 00000002.00000003.1284234025.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp5
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                            Source: Windows Driver Server.exe, 00000002.00000003.1284234025.0000000000615000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                            Source: Windows Driver Server.exe, 00000002.00000003.1284234025.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpv

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to register a low level keyboard hook
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                            Installs a global keyboard hook
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006668FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_006668FC
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004168FC
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPED

                            E-Banking Fraud

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPED

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Contains functionalty to change the wallpaper
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066CA73 SystemParametersInfoW,3_2_0066CA73
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041CA73 SystemParametersInfoW,12_2_0041CA73

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: file.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: file.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: file.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,3_2_0066330D
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066BBC6 OpenProcess,NtResumeProcess,CloseHandle,3_2_0066BBC6
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066BB9A OpenProcess,NtSuspendProcess,CloseHandle,3_2_0066BB9A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,12_2_0041330D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,12_2_0041BBC6
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,12_2_0041BB9A
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006667EF ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_006667EF
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004167EF
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043706A0_2_0043706A
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004140050_2_00414005
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043E11C0_2_0043E11C
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004541D90_2_004541D9
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004381E80_2_004381E8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F18B0_2_0041F18B
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004462700_2_00446270
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043E34B0_2_0043E34B
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004533AB0_2_004533AB
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042742E0_2_0042742E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004375660_2_00437566
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043E5A80_2_0043E5A8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004387F00_2_004387F0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043797E0_2_0043797E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004339D70_2_004339D7
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044DA490_2_0044DA49
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00427AD70_2_00427AD7
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041DBF30_2_0041DBF3
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00427C400_2_00427C40
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00437DB30_2_00437DB3
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00435EEB0_2_00435EEB
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043DEED0_2_0043DEED
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00426E9F0_2_00426E9F
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068706A3_2_0068706A
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006640053_2_00664005
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068E11C3_2_0068E11C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006881E83_2_006881E8
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006A41D93_2_006A41D9
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066F18B3_2_0066F18B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006962703_2_00696270
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068E34B3_2_0068E34B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006A33AB3_2_006A33AB
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0067742E3_2_0067742E
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006875663_2_00687566
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068E5A83_2_0068E5A8
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006887F03_2_006887F0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068797E3_2_0068797E
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006839D73_2_006839D7
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0069DA493_2_0069DA49
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00677AD73_2_00677AD7
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066DBF33_2_0066DBF3
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00677C403_2_00677C40
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00687DB33_2_00687DB3
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00685EEB3_2_00685EEB
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068DEED3_2_0068DEED
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00676E9F3_2_00676E9F
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043706A12_2_0043706A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041400512_2_00414005
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043E11C12_2_0043E11C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004541D912_2_004541D9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004381E812_2_004381E8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041F18B12_2_0041F18B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0044627012_2_00446270
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043E34B12_2_0043E34B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004533AB12_2_004533AB
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0042742E12_2_0042742E
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043756612_2_00437566
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043E5A812_2_0043E5A8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004387F012_2_004387F0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043797E12_2_0043797E
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004339D712_2_004339D7
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0044DA4912_2_0044DA49
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00427AD712_2_00427AD7
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041DBF312_2_0041DBF3
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00427C4012_2_00427C40
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00437DB312_2_00437DB3
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00435EEB12_2_00435EEB
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043DEED12_2_0043DEED
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00426E9F12_2_00426E9F
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00684E70 appears 54 times
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00652093 appears 50 times
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00651E65 appears 35 times
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00684801 appears 41 times
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: String function: 00402093 appears 50 times
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: String function: 00401E65 appears 34 times
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: String function: 00434E70 appears 54 times
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: String function: 00434801 appears 42 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402093 appears 50 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00401E65 appears 35 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00434E70 appears 54 times
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00434801 appears 42 times
                            Source: file.exe, 00000000.00000002.1254552076.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs file.exe
                            Source: file.exe, 00000000.00000003.1254121536.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs file.exe
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: file.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: file.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: file.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/4@1/2
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_0066798D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0041798D
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZA-W
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZA
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Software\0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Rmc-HWAIZA0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Exe0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Exe0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Rmc-HWAIZA0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Rmc-HWAIZA-W0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: ,aF0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Inj0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Inj0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: 8SG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: exepath0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: ,aF0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: 8SG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: exepath0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: licence0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: dMG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: PSG0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: Administrator0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: User0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: del0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: del0_2_0040EA00
                            Source: C:\Users\user\Desktop\file.exeCommand line argument: del0_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: Software\12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: Exe12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: ,aF12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: Inj12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: Inj12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: 8SG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: exepath12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: ,aF12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: 8SG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: exepath12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: licence12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: dMG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: PSG12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: Administrator12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: User12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: del12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: del12_2_0040EA00
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCommand line argument: del12_2_0040EA00
                            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: file.exeReversingLabs: Detection: 81%
                            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: twext.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: shacct.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: idstore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: starttiledata.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: acppage.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: aepic.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wlidprov.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: provsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065E0D8 push 00000000h; ret 3_2_0065E0DC
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006A7186 push ecx; ret 3_2_006A7199
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AB462 push 00000000h; retf 3_2_006AB474
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AB45A push 00000000h; ret 3_2_006AB45C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AB49A push 00000000h; retn 0000h3_2_006AB49C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AE55D push esi; ret 3_2_006AE566
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AC9FE push 00000000h; retf 3_2_006ACA00
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AC9AA pushfd ; retf 3_2_006AC9AD
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AC98A push esp; retf 3_2_006AC98D
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AC98E pushad ; retf 3_2_006AC991
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AC992 push 70006ACBh; retf 3_2_006AC999
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006A7AA8 push eax; ret 3_2_006A7AC6
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006AAEF2 push 00000000h; iretd 3_2_006AAF04
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00684EB6 push ecx; ret 3_2_00684EC9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00457186 push ecx; ret 12_2_00457199
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00457AA8 push eax; ret 12_2_00457AC6
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00434EB6 push ecx; ret 12_2_00434EC9
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeJump to dropped file

                            Boot Survival

                            barindex
                            Creates autostart registry keys with suspicious names
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZAJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZAJump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZAJump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZAJump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZAJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Deletes itself after installation
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Delayed program exit found
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065F7E2 Sleep,ExitProcess,3_2_0065F7E2
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040F7E2 Sleep,ExitProcess,12_2_0040F7E2
                            Found evasive API chain (may stop execution after checking mutex)
                            Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-47567
                            Source: C:\Users\user\Desktop\file.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_0066A7D9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_0041A7D9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeWindow / User API: threadDelayed 3635Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeWindow / User API: threadDelayed 3534Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeWindow / User API: threadDelayed 720Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeWindow / User API: foregroundWindowGot 1690Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-47617
                            Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-47593
                            Source: C:\Users\user\Desktop\file.exeAPI coverage: 6.2 %
                            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 6.2 %
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeAPI coverage: 6.2 %
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 6640Thread sleep count: 219 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 6640Thread sleep time: -109500s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 7112Thread sleep count: 3635 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 7112Thread sleep time: -10905000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 6760Thread sleep count: 3534 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 6760Thread sleep time: -10602000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 7112Thread sleep count: 720 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 7112Thread sleep time: -2160000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 6760Thread sleep count: 314 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe TID: 6760Thread sleep time: -942000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0065928E
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0066C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0066C322
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0065C388
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_006596A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_006596A0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00657877 FindFirstFileW,FindNextFileW,3_2_00657877
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00658847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00658847
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0069E8F9 FindFirstFileExA,3_2_0069E8F9
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0065BB6B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00669B86 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00669B86
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0065BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0065BD72
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                            Source: Windows Driver Server.exe, 00000002.00000002.3717760471.0000000003910000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_3-47568
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00693355 mov eax, dword ptr fs:[00000030h]3_2_00693355
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00443355 mov eax, dword ptr fs:[00000030h]12_2_00443355
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0068503C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00684A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00684A8A
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0068BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0068BB71
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00684BD8 SetUnhandledExceptionFilter,3_2_00684BD8
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0043503C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00434A8A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043BB71
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: 12_2_00434BD8 SetUnhandledExceptionFilter,12_2_00434BD8

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Maps a DLL or memory area into another process
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                            Writes to foreign memory regions
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 485008Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00662132
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00412132
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager'
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3717760471.0000000003910000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZA\
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerl
                            Source: Windows Driver Server.exe, 00000002.00000002.3717760471.0000000003910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZA\%
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZA\yR
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 11:21:16 Program Manager]
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/09/25 11:21:28 Program Manager]
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZA\>
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager[
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerE
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC
                            Source: Windows Driver Server.exe, 00000002.00000002.3717760471.0000000003910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZA\s\I+
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/09/25 11:21:16 Program Manager]
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerrR
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 21:10 Program Manager]
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/09/25 11:21:10 Program Manager]
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managers
                            Source: Windows Driver Server.exe, 00000002.00000002.3717760471.0000000003910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager-Rm
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager4Rd
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&Rr
                            Source: Windows Driver Server.exe, 00000002.00000002.3710903443.0000000000615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZA\f1
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0045201B
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_004520B6
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00452393
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00448484
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004525C3
                            Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0044896D
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_0040F90C
                            Source: C:\Users\user\Desktop\file.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_006A201B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_006A20B6
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_006A2143
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,3_2_006A2393
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_006A24BC
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_00698484
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,3_2_006A25C3
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_006A2690
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,3_2_0069896D
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,3_2_0065F90C
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_006A1D58
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,3_2_006A1FD0
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: EnumSystemLocalesW,12_2_0045201B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: EnumSystemLocalesW,12_2_004520B6
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00452143
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetLocaleInfoW,12_2_00452393
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: EnumSystemLocalesW,12_2_00448484
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004524BC
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetLocaleInfoW,12_2_004525C3
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00452690
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetLocaleInfoW,12_2_0044896D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: GetLocaleInfoA,12_2_0040F90C
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00451D58
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: EnumSystemLocalesW,12_2_00451FD0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,0_2_0041A045
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPED
                            Contains functionality to steal Chrome passwords or cookies
                            Source: C:\Users\user\Desktop\file.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0065BA4D
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040BA4D
                            Contains functionality to steal Firefox passwords or cookies
                            Source: C:\Users\user\Desktop\file.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                            Source: C:\Users\user\Desktop\file.exeCode function: \key3.db0_2_0040BB6B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0065BB6B
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: \key3.db3_2_0065BB6B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040BB6B
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: \key3.db12_2_0040BB6B

                            Remote Access Functionality

                            barindex
                            Detected Remcos RAT
                            Source: C:\Users\user\Desktop\file.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZAJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZAJump to behavior
                            Source: C:\Windows\SysWOW64\svchost.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZA-WJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZAJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZAJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HWAIZAJump to behavior
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.29a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.2a32020.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.svchost.exe.650000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Windows Driver Server.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 2.2.Windows Driver Server.exe.5650c0.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2712, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 4600, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6748, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7360, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7508, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Driver Server.exe PID: 7576, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, type: DROPPED
                            Source: C:\Users\user\Desktop\file.exeCode function: cmd.exe0_2_0040569A
                            Source: C:\Windows\SysWOW64\svchost.exeCode function: cmd.exe3_2_0065569A
                            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exeCode function: cmd.exe12_2_0040569A

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		1
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		12
                            Ingress Tool Transfer                            		Exfiltration Over Other Network Medium1
                            System Shutdown/Reboot
                            CredentialsDomainsDefault Accounts12
                            Command and Scripting Interpreter                            		1
                            Windows Service                            		1
                            Bypass User Account Control                            		2
                            Obfuscated Files or Information                            		211
                            Input Capture                            		1
                            Account Discovery                            		Remote Desktop Protocol211
                            Input Capture                            		2
                            Encrypted Channel                            		Exfiltration Over Bluetooth1
                            Defacement
                            Email AddressesDNS ServerDomain Accounts2
                            Service Execution                            		11
                            Registry Run Keys / Startup Folder                            		1
                            Access Token Manipulation                            		1
                            DLL Side-Loading                            		2
                            Credentials In Files                            		1
                            System Service Discovery                            		SMB/Windows Admin Shares3
                            Clipboard Data                            		1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            Windows Service                            		1
                            Bypass User Account Control                            		NTDS4
                            File and Directory Discovery                            		Distributed Component Object ModelInput Capture1
                            Remote Access Software                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                            Process Injection                            		1
                            File Deletion                            		LSA Secrets23
                            System Information Discovery                            		SSHKeylogging2
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                            Registry Run Keys / Startup Folder                            		1
                            Masquerading                            		Cached Domain Credentials121
                            Security Software Discovery                            		VNCGUI Input Capture12
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Virtualization/Sandbox Evasion                            		DCSync1
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            Access Token Manipulation                            		Proc Filesystem2
                            Process Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                            Process Injection                            		/etc/passwd and /etc/shadow1
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518426 Sample: file.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 29 geoplugin.net 2->29 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 17 other signatures 2->41 8 file.exe 3 4 2->8         started        12 Windows Driver Server.exe 2->12         started        14 Windows Driver Server.exe 2->14         started        16 Windows Driver Server.exe 2->16         started        signatures3 process4 file5 25 C:\Users\user\...\Windows Driver Server.exe, PE32 8->25 dropped 27 Windows Driver Ser...exe:Zone.Identifier, ASCII 8->27 dropped 59 Contains functionality to bypass UAC (CMSTPLUA) 8->59 61 Detected Remcos RAT 8->61 63 Contains functionalty to change the wallpaper 8->63 65 5 other signatures 8->65 18 Windows Driver Server.exe 4 16 8->18         started        signatures6 process7 dnsIp8 31 5.20.120.177, 2404, 49700 CGATES-ASLT Lithuania 18->31 33 geoplugin.net 178.237.33.50, 49701, 80 ATOM86-ASATOM86NL Netherlands 18->33 43 Detected Remcos RAT 18->43 45 Deletes itself after installation 18->45 47 Writes to foreign memory regions 18->47 49 2 other signatures 18->49 22 svchost.exe 18->22         started        signatures9 process10 signatures11 51 Contains functionality to bypass UAC (CMSTPLUA) 22->51 53 Detected Remcos RAT 22->53 55 Found evasive API chain (may stop execution after checking mutex) 22->55 57 4 other signatures 22->57

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            file.exe82%ReversingLabsWin32.Backdoor.Remcos
                            file.exe100%AviraBDS/Backdoor.Gen
                            file.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe100%AviraBDS/Backdoor.Gen
                            C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe82%ReversingLabsWin32.Backdoor.Remcos

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://geoplugin.net/json.gp0%URL Reputationsafe
                            http://geoplugin.net/json.gp/C0%URL Reputationsafe
                            5.20.120.1770%Avira URL Cloudsafe
                            http://geoplugin.net/json.gpv0%Avira URL Cloudsafe
                            http://geoplugin.net/json.gp50%Avira URL Cloudsafe
                            http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
                            http://geoplugin.net/json.gpl0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            geoplugin.net
                            		178.237.33.50
                            		truefalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpfalse
                              • URL Reputation: safe
                              		unknown
                              5.20.120.177true
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpvWindows Driver Server.exe, 00000002.00000003.1284234025.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gp5Windows Driver Server.exe, 00000002.00000003.1284234025.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.00000000005F7000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gp/Cfile.exe, Windows Driver Server.exe.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gplWindows Driver Server.exe, 00000002.00000003.1284234025.0000000000615000.00000004.00000020.00020000.00000000.sdmp, Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gpSystem32Windows Driver Server.exe, 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              5.20.120.177
                              		unknownLithuania
                              		21412CGATES-ASLTtrue
                              178.237.33.50
                              		geoplugin.netNetherlands
                              		8455ATOM86-ASATOM86NLfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1518426
                              Start date and time:2024-09-25 17:20:09 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 23s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:21
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.rans.troj.spyw.expl.evad.winEXE@8/4@1/2
                              EGA Information:
                              • Successful, ratio: 75%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 394
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target Windows Driver Server.exe, PID 4600 because there are no executed function
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              13:00:04API Interceptor4480459x Sleep call for process: Windows Driver Server.exe modified
                              17:21:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZA "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                              17:21:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZA "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                              17:21:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-HWAIZA "C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              178.237.33.50SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • geoplugin.net/json.gp
                              BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                              • geoplugin.net/json.gp
                              z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                              • geoplugin.net/json.gp
                              1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                              • geoplugin.net/json.gp
                              XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • geoplugin.net/json.gp
                              AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                              • geoplugin.net/json.gp
                              C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                              • geoplugin.net/json.gp
                              RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                              • geoplugin.net/json.gp

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              geoplugin.netSDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • 178.237.33.50
                              AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                              • 178.237.33.50
                              RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ATOM86-ASATOM86NLSDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • 178.237.33.50
                              AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                              • 178.237.33.50
                              C8G355qROx.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                              • 178.237.33.50
                              RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              CGATES-ASLTStub_p49.exeGet hashmaliciousBlackshades, PoisonivyBrowse
                              • 212.117.48.248
                              qD7cj0t7Ag.elfGet hashmaliciousMirai, MoobotBrowse
                              • 79.133.234.9
                              MWwbGhEqS4.elfGet hashmaliciousMiraiBrowse
                              • 87.247.119.10
                              TxXQ106ErI.elfGet hashmaliciousMiraiBrowse
                              • 87.247.119.11
                              NA9GDRMmA3.elfGet hashmaliciousUnknownBrowse
                              • 87.247.119.41
                              GfRwN8t3BN.elfGet hashmaliciousMiraiBrowse
                              • 91.187.165.164
                              skid.arm.elfGet hashmaliciousMirai, MoobotBrowse
                              • 46.251.61.207
                              crvEujmluK.elfGet hashmaliciousMirai, MoobotBrowse
                              • 87.247.120.9
                              r1kArkKGjW.exeGet hashmaliciousSalityBrowse
                              • 84.32.157.83
                              qRRr5gR434.exeGet hashmaliciousSalityBrowse
                              • 84.32.157.83

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                              Download File
                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe
                              File Type:JSON data
                              Category:dropped
                              Size (bytes):962
                              Entropy (8bit):5.012309356796613
                              Encrypted:false
                              SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                              MD5:14B479958E659C5A4480548A393022AC
                              SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                              SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                              SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                              C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe

                              Download File
                              Process:C:\Users\user\Desktop\file.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):476672
                              Entropy (8bit):6.675651841599251
                              Encrypted:false
                              SSDEEP:6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crmT4:bTlrYw1RUh3NFn+N5WfIQIjbs/ZmdT4
                              MD5:4C128449B1492FC2FF49C431044D4B10
                              SHA1:B7B77AE75CD5ADFA5AA1C49D48396F5B66A79441
                              SHA-256:7C171A51686B7DA6C4D9178093164888FF30F9BE7B4E38412DB3C8B98B595CD0
                              SHA-512:116999BF606A5FC696C0F9C7CF55361C6BBA5F26881CD6BCE525CA3C95E2676AF75BE7EEA0155CD37B8891FE7D391E4A69887B5FE95DE3788B18F7DC2C6924CC
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 82%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L......f.................r...........J............@.................................s\...........................................................................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc...............................@..@.reloc...;.......<..................@..B................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\file.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview:[ZoneTransfer]....ZoneId=0

                              C:\Users\user\AppData\Roaming\Microsoft\_temp.dat

                              Download File
                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):640
                              Entropy (8bit):7.656018651468125
                              Encrypted:false
                              SSDEEP:12:L3eYZAQM+V5SE8YCQxVaoyWmPx2Oh0Ki8e3cB1Fb5wX2d0ykFCMcMDXVO:L3eenV5oYCQHzzmPx2Sccrw4Abm
                              MD5:68FDF62E2C6A66C1AD986C52E66961DE
                              SHA1:09714DA290FA89AFD084E0BDC9940502D9CDA15B
                              SHA-256:5039F6C6145F3F118710777BDE8F7D0FB2FD58C95CA2C7CF8E323C1816594355
                              SHA-512:A1DE6AB84B485F13A2A7D8D246F3BE1A1561114466EE72DAD570BBAC6E32571A35CA9ED75AC997EC6C86549F723435B8CB8AB2911C30B867334EEF12A966DD21
                              Malicious:false
                              Reputation:low
                              Preview:..8....K9}.}2a`N......DE.X.bZ.5.w..}...o..UF..../7.{..D....8eS)".3.V.kN...dz..aN.q...x~.q.NeKm6....V........FH.g....H.....O.^<.o.>)...3<g.b~...@p#3+4....U..{&7.'....+....uD..e..M..4..6oe7$8....F.w..Gr..v"...#.".&..3..\.n...@f.......T.L0...mH........B`.5...#.Af.9.s=^&}.<...,...Z]..t..........*...Z{W.30a....^..?6%!vS..../>..x...t.}.6@.t...X.)..v),.a........N...4.ep.+.7.V..G..d.oa8.H.}..A......).oS^K.q.oet...!.u.:..`.+....h..m..x.v..o....nx......V%4ni.+a.-..e.."_...s....x[.....7B........f.}..F....'.5.p0.~7......f....T+H....+%5.a ....._........ .F..z..!.5..!..k.."....K........0.'....4..E.p...v.{.I....z

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.675651841599251
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:476'672 bytes
                              MD5:4c128449b1492fc2ff49c431044d4b10
                              SHA1:b7b77ae75cd5adfa5aa1c49d48396f5b66a79441
                              SHA256:7c171a51686b7da6c4d9178093164888ff30f9be7b4e38412db3c8b98b595cd0
                              SHA512:116999bf606a5fc696c0f9c7cf55361c6bba5f26881cd6bce525ca3c95e2676af75be7eea0155cd37b8891fe7d391e4a69887b5fe95de3788b18f7dc2c6924cc
                              SSDEEP:6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crmT4:bTlrYw1RUh3NFn+N5WfIQIjbs/ZmdT4
                              TLSH:C8A4AF01FAD1C072D97614300D3AB766DAB8F9201935497F73EA0D5AEE31190A73ABB7
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x434a80
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x66D71DE3 [Tue Sep 3 14:32:03 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:1389569a3a39186f3eb453b501cfe688

                              Entrypoint Preview

                              Instruction
                              call 00007F623886696Bh
                              jmp 00007F62388663B3h
                              push ebp
                              mov ebp, esp
                              sub esp, 00000324h
                              push ebx
                              push esi
                              push 00000017h
                              call 00007F6238888C03h
                              test eax, eax
                              je 00007F6238866527h
                              mov ecx, dword ptr [ebp+08h]
                              int 29h
                              xor esi, esi
                              lea eax, dword ptr [ebp-00000324h]
                              push 000002CCh
                              push esi
                              push eax
                              mov dword ptr [00471D14h], esi
                              call 00007F6238868976h
                              add esp, 0Ch
                              mov dword ptr [ebp-00000274h], eax
                              mov dword ptr [ebp-00000278h], ecx
                              mov dword ptr [ebp-0000027Ch], edx
                              mov dword ptr [ebp-00000280h], ebx
                              mov dword ptr [ebp-00000284h], esi
                              mov dword ptr [ebp-00000288h], edi
                              mov word ptr [ebp-0000025Ch], ss
                              mov word ptr [ebp-00000268h], cs
                              mov word ptr [ebp-0000028Ch], ds
                              mov word ptr [ebp-00000290h], es
                              mov word ptr [ebp-00000294h], fs
                              mov word ptr [ebp-00000298h], gs
                              pushfd
                              pop dword ptr [ebp-00000264h]
                              mov eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-0000026Ch], eax
                              lea eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-00000260h], eax
                              mov dword ptr [ebp-00000324h], 00010001h
                              mov eax, dword ptr [eax-04h]
                              push 00000050h
                              mov dword ptr [ebp-00000270h], eax
                              lea eax, dword ptr [ebp-58h]
                              push esi
                              push eax
                              call 00007F62388688EDh

                              Rich Headers

                              Programming Language:
                              • [C++] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x5c4.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x3bc8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x590000x179dc0x17a002a24a2cbf738bf5f992a0162fad3d464False0.5008577215608465data5.862074061245876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0x790000x5c40x600b9d551a2154dbebcafe8e6a89ff3b02dFalse0.9759114583333334data7.543013375090305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x7a0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_RCDATA0x7906c0x558data1.0080409356725146

                              Imports

                              DLLImport
                              KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                              USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                              GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                              ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                              SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                              ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                              SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                              WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                              WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                              urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                              gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                              WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-25T17:21:05.427080+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.7497005.20.120.1772404TCP
                              2024-09-25T17:21:07.565125+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749701178.237.33.5080TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 25, 2024 17:21:04.671436071 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:04.676491022 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:04.676582098 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:04.681737900 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:04.686575890 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:05.377666950 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:05.427079916 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:05.505316019 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:05.552078962 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:05.569439888 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:05.581588030 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:05.581692934 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:05.592931986 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:05.931217909 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:05.989562988 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:06.017330885 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:06.065013885 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:06.073159933 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:06.082350969 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:06.925559998 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:21:06.930435896 CEST8049701178.237.33.50192.168.2.7
                              Sep 25, 2024 17:21:06.930506945 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:21:06.930668116 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:21:06.936696053 CEST8049701178.237.33.50192.168.2.7
                              Sep 25, 2024 17:21:07.563596964 CEST8049701178.237.33.50192.168.2.7
                              Sep 25, 2024 17:21:07.565124989 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:21:07.615474939 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:07.620628119 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:08.643798113 CEST8049701178.237.33.50192.168.2.7
                              Sep 25, 2024 17:21:08.643951893 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:21:18.837997913 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:18.839898109 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:18.846314907 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:47.661731005 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:21:47.663815975 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:21:47.668988943 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:22:16.277842999 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:22:16.288911104 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:22:16.293862104 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:22:44.977761030 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:22:44.984220982 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:22:44.990082979 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:22:56.834139109 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:22:57.254774094 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:22:57.911931038 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:22:59.115140915 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:23:01.521322966 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:23:06.505762100 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:23:13.883946896 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:23:13.885531902 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:23:13.892206907 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:23:16.115163088 CEST4970180192.168.2.7178.237.33.50
                              Sep 25, 2024 17:23:42.399360895 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:23:42.401490927 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:23:42.406325102 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:24:11.110577106 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:24:11.112019062 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:24:11.118967056 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:24:39.815773964 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:24:39.816988945 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:24:39.821851015 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:25:08.527709007 CEST2404497005.20.120.177192.168.2.7
                              Sep 25, 2024 17:25:08.529000998 CEST497002404192.168.2.75.20.120.177
                              Sep 25, 2024 17:25:08.533768892 CEST2404497005.20.120.177192.168.2.7

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 25, 2024 17:21:06.908353090 CEST5045753192.168.2.71.1.1.1
                              Sep 25, 2024 17:21:06.916908979 CEST53504571.1.1.1192.168.2.7

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 25, 2024 17:21:06.908353090 CEST192.168.2.71.1.1.10x2510Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 25, 2024 17:21:06.916908979 CEST1.1.1.1192.168.2.70x2510No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • geoplugin.net

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749701178.237.33.50804600C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe
                              TimestampBytes transferredDirectionData
                              Sep 25, 2024 17:21:06.930668116 CEST71OUTGET /json.gp HTTP/1.1
                              Host: geoplugin.net
                              Cache-Control: no-cache
                              Sep 25, 2024 17:21:07.563596964 CEST1170INHTTP/1.1 200 OK
                              date: Wed, 25 Sep 2024 15:21:07 GMT
                              server: Apache
                              content-length: 962
                              content-type: application/json; charset=utf-8
                              cache-control: public, max-age=300
                              access-control-allow-origin: *
                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                              Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:21:02
                              Start date:25/09/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x400000
                              File size:476'672 bytes
                              MD5 hash:4C128449B1492FC2FF49C431044D4B10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1247355487.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1247804602.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:11:21:03
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                              Imagebase:0x400000
                              File size:476'672 bytes
                              MD5 hash:4C128449B1492FC2FF49C431044D4B10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000000.1253966896.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3717171506.00000000029A0000.00000040.10000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3705973509.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3710903443.000000000053E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe, Author: ditekSHen
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 82%, ReversingLabs
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:3
                              Start time:11:21:03
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:svchost.exe
                              Imagebase:0x7b0000
                              File size:46'504 bytes
                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.3710869118.0000000002A29000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:12
                              Start time:11:21:15
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                              Imagebase:0x400000
                              File size:476'672 bytes
                              MD5 hash:4C128449B1492FC2FF49C431044D4B10
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000000.1378084777.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1378823959.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:14
                              Start time:11:21:23
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                              Imagebase:0x400000
                              File size:476'672 bytes
                              MD5 hash:4C128449B1492FC2FF49C431044D4B10
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000000.1458791256.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.1459776587.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:15
                              Start time:13:00:00
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows Driver Server.exe"
                              Imagebase:0x400000
                              File size:476'672 bytes
                              MD5 hash:4C128449B1492FC2FF49C431044D4B10
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000000.1539705372.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.1540202104.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:30.8%
                                Total number of Nodes:717
                                Total number of Limit Nodes:15
                                execution_graph 47047 434918 47048 434924 ___scrt_is_nonwritable_in_current_image 47047->47048 47074 434627 47048->47074 47050 43492b 47052 434954 47050->47052 47362 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47050->47362 47061 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47052->47061 47363 4442d2 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47052->47363 47054 43496d 47056 434973 ___scrt_is_nonwritable_in_current_image 47054->47056 47364 444276 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47054->47364 47057 4349f3 47085 434ba5 47057->47085 47061->47057 47365 443487 35 API calls 5 library calls 47061->47365 47067 434a15 47068 434a1f 47067->47068 47367 4434bf 28 API calls _abort 47067->47367 47070 434a28 47068->47070 47368 443462 28 API calls _abort 47068->47368 47369 43479e 13 API calls 2 library calls 47070->47369 47073 434a30 47073->47056 47075 434630 47074->47075 47370 434cb6 IsProcessorFeaturePresent 47075->47370 47077 43463c 47371 438fb1 10 API calls 4 library calls 47077->47371 47079 434641 47080 434645 47079->47080 47372 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47079->47372 47080->47050 47082 43464e 47083 43465c 47082->47083 47373 438fda 8 API calls 3 library calls 47082->47373 47083->47050 47374 436f10 47085->47374 47088 4349f9 47089 444223 47088->47089 47376 44f0d9 47089->47376 47091 44422c 47092 434a02 47091->47092 47380 446895 35 API calls 47091->47380 47094 40ea00 47092->47094 47382 41cbe1 LoadLibraryA GetProcAddress 47094->47382 47096 40ea1c GetModuleFileNameW 47387 40f3fe 47096->47387 47098 40ea38 47402 4020f6 47098->47402 47101 4020f6 28 API calls 47102 40ea56 47101->47102 47408 41beac 47102->47408 47106 40ea68 47434 401e8d 47106->47434 47108 40ea71 47109 40ea84 47108->47109 47110 40eace 47108->47110 47646 40fbee 116 API calls 47109->47646 47440 401e65 47110->47440 47113 40ea96 47115 401e65 22 API calls 47113->47115 47114 40eade 47117 401e65 22 API calls 47114->47117 47116 40eaa2 47115->47116 47647 410f72 36 API calls __EH_prolog 47116->47647 47118 40eafd 47117->47118 47445 40531e 47118->47445 47121 40eb0c 47450 406383 47121->47450 47122 40eab4 47648 40fb9f 77 API calls 47122->47648 47126 40eabd 47649 40f3eb 70 API calls 47126->47649 47132 401fd8 11 API calls 47134 40ef36 47132->47134 47133 401fd8 11 API calls 47135 40eb36 47133->47135 47366 443396 GetModuleHandleW 47134->47366 47136 401e65 22 API calls 47135->47136 47137 40eb3f 47136->47137 47467 401fc0 47137->47467 47139 40eb4a 47140 401e65 22 API calls 47139->47140 47141 40eb63 47140->47141 47142 401e65 22 API calls 47141->47142 47143 40eb7e 47142->47143 47144 40ebe9 47143->47144 47471 406c59 47143->47471 47145 401e65 22 API calls 47144->47145 47151 40ebf6 47145->47151 47147 40ebab 47148 401fe2 28 API calls 47147->47148 47149 40ebb7 47148->47149 47150 401fd8 11 API calls 47149->47150 47153 40ebc0 47150->47153 47152 40ec3d 47151->47152 47157 413584 3 API calls 47151->47157 47479 40d0a4 47152->47479 47476 413584 RegOpenKeyExA 47153->47476 47155 40ec43 47156 40eac6 47155->47156 47482 41b354 47155->47482 47156->47132 47163 40ec21 47157->47163 47161 40f38a 47679 4139e4 30 API calls 47161->47679 47162 40ec5e 47165 40ecb1 47162->47165 47499 407751 47162->47499 47163->47152 47650 4139e4 30 API calls 47163->47650 47166 401e65 22 API calls 47165->47166 47169 40ecba 47166->47169 47178 40ecc6 47169->47178 47179 40eccb 47169->47179 47171 40f3a0 47680 4124b0 65 API calls ___scrt_fastfail 47171->47680 47172 40ec87 47176 401e65 22 API calls 47172->47176 47173 40ec7d 47651 407773 30 API calls 47173->47651 47188 40ec90 47176->47188 47177 40f388 47181 41bcef 28 API calls 47177->47181 47654 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47178->47654 47184 401e65 22 API calls 47179->47184 47180 40ec82 47652 40729b 97 API calls 47180->47652 47185 40f3ba 47181->47185 47186 40ecd4 47184->47186 47681 413a5e RegOpenKeyExW RegDeleteValueW 47185->47681 47503 41bcef 47186->47503 47188->47165 47191 40ecac 47188->47191 47190 40ecdf 47507 401f13 47190->47507 47653 40729b 97 API calls 47191->47653 47192 40f3cd 47196 401f09 11 API calls 47192->47196 47198 40f3d7 47196->47198 47200 401f09 11 API calls 47198->47200 47202 40f3e0 47200->47202 47201 401e65 22 API calls 47203 40ecfc 47201->47203 47682 40dd7d 27 API calls 47202->47682 47207 401e65 22 API calls 47203->47207 47205 40f3e5 47683 414f65 169 API calls _strftime 47205->47683 47209 40ed16 47207->47209 47210 401e65 22 API calls 47209->47210 47211 40ed30 47210->47211 47212 401e65 22 API calls 47211->47212 47213 40ed49 47212->47213 47214 40edb6 47213->47214 47215 401e65 22 API calls 47213->47215 47216 40edc5 47214->47216 47221 40ef41 ___scrt_fastfail 47214->47221 47219 40ed5e _wcslen 47215->47219 47217 401e65 22 API calls 47216->47217 47223 40ee4a 47216->47223 47218 40edd7 47217->47218 47220 401e65 22 API calls 47218->47220 47219->47214 47224 401e65 22 API calls 47219->47224 47222 40ede9 47220->47222 47657 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47221->47657 47227 401e65 22 API calls 47222->47227 47245 40ee45 ___scrt_fastfail 47223->47245 47225 40ed79 47224->47225 47229 401e65 22 API calls 47225->47229 47228 40edfb 47227->47228 47232 401e65 22 API calls 47228->47232 47230 40ed8e 47229->47230 47519 40da6f 47230->47519 47231 40ef8c 47233 401e65 22 API calls 47231->47233 47235 40ee24 47232->47235 47236 40efb1 47233->47236 47241 401e65 22 API calls 47235->47241 47658 402093 47236->47658 47238 401f13 28 API calls 47240 40edad 47238->47240 47243 401f09 11 API calls 47240->47243 47244 40ee35 47241->47244 47242 40efc3 47664 4137aa 14 API calls 47242->47664 47243->47214 47577 40ce34 47244->47577 47245->47223 47655 413982 31 API calls 47245->47655 47249 40efd9 47251 401e65 22 API calls 47249->47251 47250 40eede ctype 47253 401e65 22 API calls 47250->47253 47252 40efe5 47251->47252 47665 43bb2c 39 API calls _strftime 47252->47665 47256 40eef5 47253->47256 47255 40eff2 47257 40f01f 47255->47257 47666 41ce2c 87 API calls ___scrt_fastfail 47255->47666 47256->47231 47258 401e65 22 API calls 47256->47258 47261 402093 28 API calls 47257->47261 47259 40ef12 47258->47259 47262 41bcef 28 API calls 47259->47262 47264 40f034 47261->47264 47265 40ef1e 47262->47265 47263 40f003 CreateThread 47263->47257 47957 41d4ee 10 API calls 47263->47957 47266 402093 28 API calls 47264->47266 47656 40f4af 106 API calls 47265->47656 47268 40f043 47266->47268 47667 41b580 79 API calls 47268->47667 47269 40ef23 47269->47231 47271 40ef2a 47269->47271 47271->47156 47272 40f048 47273 401e65 22 API calls 47272->47273 47274 40f054 47273->47274 47275 401e65 22 API calls 47274->47275 47276 40f066 47275->47276 47277 401e65 22 API calls 47276->47277 47278 40f086 47277->47278 47668 43bb2c 39 API calls _strftime 47278->47668 47280 40f093 47281 401e65 22 API calls 47280->47281 47282 40f09e 47281->47282 47283 401e65 22 API calls 47282->47283 47284 40f0af 47283->47284 47285 401e65 22 API calls 47284->47285 47286 40f0c4 47285->47286 47287 401e65 22 API calls 47286->47287 47288 40f0d5 47287->47288 47289 40f0dc StrToIntA 47288->47289 47669 409e1f 171 API calls _wcslen 47289->47669 47291 40f0ee 47292 401e65 22 API calls 47291->47292 47293 40f0f7 47292->47293 47294 40f13c 47293->47294 47670 43455e 22 API calls 3 library calls 47293->47670 47297 401e65 22 API calls 47294->47297 47296 40f10c 47298 401e65 22 API calls 47296->47298 47302 40f14c 47297->47302 47299 40f11f 47298->47299 47300 40f126 CreateThread 47299->47300 47300->47294 47951 41a045 109 API calls 2 library calls 47300->47951 47301 40f194 47303 401e65 22 API calls 47301->47303 47302->47301 47671 43455e 22 API calls 3 library calls 47302->47671 47309 40f19d 47303->47309 47305 40f161 47306 401e65 22 API calls 47305->47306 47307 40f173 47306->47307 47310 40f17a CreateThread 47307->47310 47308 40f207 47311 401e65 22 API calls 47308->47311 47309->47308 47312 401e65 22 API calls 47309->47312 47310->47301 47956 41a045 109 API calls 2 library calls 47310->47956 47315 40f210 47311->47315 47313 40f1b9 47312->47313 47316 401e65 22 API calls 47313->47316 47314 40f255 47675 41b69e 80 API calls 47314->47675 47315->47314 47318 401e65 22 API calls 47315->47318 47319 40f1ce 47316->47319 47321 40f225 47318->47321 47672 40da23 32 API calls 47319->47672 47320 40f25e 47322 401f13 28 API calls 47320->47322 47325 401e65 22 API calls 47321->47325 47324 40f269 47322->47324 47327 401f09 11 API calls 47324->47327 47328 40f23a 47325->47328 47326 40f1e1 47329 401f13 28 API calls 47326->47329 47330 40f272 CreateThread 47327->47330 47673 43bb2c 39 API calls _strftime 47328->47673 47331 40f1ed 47329->47331 47333 40f293 CreateThread 47330->47333 47334 40f29f 47330->47334 47952 40f7e2 120 API calls 47330->47952 47335 401f09 11 API calls 47331->47335 47333->47334 47953 412132 138 API calls 47333->47953 47336 40f2b4 47334->47336 47337 40f2a8 CreateThread 47334->47337 47339 40f1f6 CreateThread 47335->47339 47341 40f307 47336->47341 47343 402093 28 API calls 47336->47343 47337->47336 47954 412716 38 API calls ___scrt_fastfail 47337->47954 47339->47308 47955 401be9 49 API calls _strftime 47339->47955 47340 40f247 47674 40c19d 7 API calls 47340->47674 47677 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 47341->47677 47344 40f2d7 47343->47344 47676 4052fd 28 API calls 47344->47676 47347 40f31f 47347->47202 47350 41bcef 28 API calls 47347->47350 47352 40f338 47350->47352 47678 413656 31 API calls 47352->47678 47357 40f34e 47358 401f09 11 API calls 47357->47358 47360 40f359 47358->47360 47359 40f381 DeleteFileW 47359->47177 47359->47360 47360->47177 47360->47359 47361 40f36f Sleep 47360->47361 47361->47360 47362->47050 47363->47054 47364->47061 47365->47057 47366->47067 47367->47068 47368->47070 47369->47073 47370->47077 47371->47079 47372->47082 47373->47080 47375 434bb8 GetStartupInfoW 47374->47375 47375->47088 47377 44f0eb 47376->47377 47378 44f0e2 47376->47378 47377->47091 47381 44efd8 48 API calls 4 library calls 47378->47381 47380->47091 47381->47377 47383 41cc20 LoadLibraryA GetProcAddress 47382->47383 47384 41cc10 GetModuleHandleA GetProcAddress 47382->47384 47385 41cc49 44 API calls 47383->47385 47386 41cc39 LoadLibraryA GetProcAddress 47383->47386 47384->47383 47385->47096 47386->47385 47684 41b539 FindResourceA 47387->47684 47391 40f428 ctype 47696 4020b7 47391->47696 47394 401fe2 28 API calls 47395 40f44e 47394->47395 47396 401fd8 11 API calls 47395->47396 47397 40f457 47396->47397 47398 43bda0 _Yarn 21 API calls 47397->47398 47399 40f468 ctype 47398->47399 47702 406e13 47399->47702 47401 40f49b 47401->47098 47403 40210c 47402->47403 47404 4023ce 11 API calls 47403->47404 47405 402126 47404->47405 47406 402569 28 API calls 47405->47406 47407 402134 47406->47407 47407->47101 47739 4020df 47408->47739 47410 401fd8 11 API calls 47412 41bf61 47410->47412 47411 41bebf 47414 41bf31 47411->47414 47420 401fe2 28 API calls 47411->47420 47425 401fd8 11 API calls 47411->47425 47429 41bf2f 47411->47429 47743 4041a2 28 API calls 47411->47743 47744 41cec5 28 API calls 47411->47744 47413 401fd8 11 API calls 47412->47413 47415 41bf69 47413->47415 47745 4041a2 28 API calls 47414->47745 47418 401fd8 11 API calls 47415->47418 47421 40ea5f 47418->47421 47419 41bf3d 47422 401fe2 28 API calls 47419->47422 47420->47411 47430 40fb52 47421->47430 47423 41bf46 47422->47423 47424 401fd8 11 API calls 47423->47424 47426 41bf4e 47424->47426 47425->47411 47746 41cec5 28 API calls 47426->47746 47429->47410 47431 40fb5e 47430->47431 47433 40fb65 47430->47433 47747 402163 11 API calls 47431->47747 47433->47106 47435 402163 47434->47435 47436 40219f 47435->47436 47748 402730 11 API calls 47435->47748 47436->47108 47438 402184 47749 402712 11 API calls std::_Deallocate 47438->47749 47441 401e6d 47440->47441 47442 401e75 47441->47442 47750 402158 22 API calls 47441->47750 47442->47114 47446 4020df 11 API calls 47445->47446 47447 40532a 47446->47447 47751 4032a0 47447->47751 47449 405346 47449->47121 47756 4051ef 47450->47756 47452 406391 47760 402055 47452->47760 47455 401fe2 47456 401ff1 47455->47456 47457 402039 47455->47457 47458 4023ce 11 API calls 47456->47458 47464 401fd8 47457->47464 47459 401ffa 47458->47459 47460 40203c 47459->47460 47461 402015 47459->47461 47462 40267a 11 API calls 47460->47462 47775 403098 28 API calls 47461->47775 47462->47457 47465 4023ce 11 API calls 47464->47465 47466 401fe1 47465->47466 47466->47133 47468 401fd2 47467->47468 47469 401fc9 47467->47469 47468->47139 47776 4025e0 28 API calls 47469->47776 47472 4020df 11 API calls 47471->47472 47473 406c65 47472->47473 47474 4032a0 28 API calls 47473->47474 47475 406c82 47474->47475 47475->47147 47477 40ebdf 47476->47477 47478 4135ae RegQueryValueExA RegCloseKey 47476->47478 47477->47144 47477->47161 47478->47477 47777 401fab 47479->47777 47481 40d0ae CreateMutexA GetLastError 47481->47155 47778 41c048 47482->47778 47487 401fe2 28 API calls 47488 41b390 47487->47488 47489 401fd8 11 API calls 47488->47489 47490 41b398 47489->47490 47491 4135e1 31 API calls 47490->47491 47493 41b3ee 47490->47493 47492 41b3c1 47491->47492 47494 41b3cc StrToIntA 47492->47494 47493->47162 47495 41b3da 47494->47495 47498 41b3e3 47494->47498 47787 41cffa 22 API calls 47495->47787 47497 401fd8 11 API calls 47497->47493 47498->47497 47500 407765 47499->47500 47501 413584 3 API calls 47500->47501 47502 40776c 47501->47502 47502->47172 47502->47173 47504 41bd03 47503->47504 47788 40b93f 47504->47788 47506 41bd0b 47506->47190 47508 401f22 47507->47508 47509 401f6a 47507->47509 47510 402252 11 API calls 47508->47510 47516 401f09 47509->47516 47511 401f2b 47510->47511 47512 401f6d 47511->47512 47513 401f46 47511->47513 47821 402336 47512->47821 47820 40305c 28 API calls 47513->47820 47517 402252 11 API calls 47516->47517 47518 401f12 47517->47518 47518->47201 47825 401f86 47519->47825 47522 40dae0 47527 41c048 2 API calls 47522->47527 47523 40daab 47835 41b645 29 API calls 47523->47835 47524 40daa1 47526 40dbd4 GetLongPathNameW 47524->47526 47829 40417e 47526->47829 47530 40dae5 47527->47530 47528 40dab4 47531 401f13 28 API calls 47528->47531 47533 40dae9 47530->47533 47534 40db3b 47530->47534 47535 40dabe 47531->47535 47538 40417e 28 API calls 47533->47538 47537 40417e 28 API calls 47534->47537 47542 401f09 11 API calls 47535->47542 47536 40417e 28 API calls 47540 40dbf8 47536->47540 47541 40db49 47537->47541 47539 40daf7 47538->47539 47547 40417e 28 API calls 47539->47547 47838 40de0c 28 API calls 47540->47838 47546 40417e 28 API calls 47541->47546 47542->47524 47544 40dc0b 47839 402fa5 28 API calls 47544->47839 47549 40db5f 47546->47549 47550 40db0d 47547->47550 47548 40dc16 47840 402fa5 28 API calls 47548->47840 47837 402fa5 28 API calls 47549->47837 47836 402fa5 28 API calls 47550->47836 47554 40dc20 47557 401f09 11 API calls 47554->47557 47555 40db6a 47558 401f13 28 API calls 47555->47558 47556 40db18 47559 401f13 28 API calls 47556->47559 47560 40dc2a 47557->47560 47561 40db75 47558->47561 47562 40db23 47559->47562 47563 401f09 11 API calls 47560->47563 47564 401f09 11 API calls 47561->47564 47565 401f09 11 API calls 47562->47565 47566 40dc33 47563->47566 47567 40db7e 47564->47567 47568 40db2c 47565->47568 47569 401f09 11 API calls 47566->47569 47570 401f09 11 API calls 47567->47570 47571 401f09 11 API calls 47568->47571 47572 40dc3c 47569->47572 47570->47535 47571->47535 47573 401f09 11 API calls 47572->47573 47574 40dc45 47573->47574 47575 401f09 11 API calls 47574->47575 47576 40dc4e 47575->47576 47576->47238 47578 40ce47 _wcslen 47577->47578 47579 40ce51 47578->47579 47580 40ce9b 47578->47580 47583 40ce5a CreateDirectoryW 47579->47583 47581 40da6f 32 API calls 47580->47581 47582 40cead 47581->47582 47584 401f13 28 API calls 47582->47584 47853 409196 47583->47853 47586 40ce99 47584->47586 47588 401f09 11 API calls 47586->47588 47587 40ce76 47893 403014 47587->47893 47593 40cec4 47588->47593 47591 401f13 28 API calls 47592 40ce90 47591->47592 47594 401f09 11 API calls 47592->47594 47595 40cefa 47593->47595 47596 40cedd 47593->47596 47594->47586 47597 40cf03 CopyFileW 47595->47597 47599 40cd48 31 API calls 47596->47599 47598 40cf15 _wcslen 47597->47598 47601 40cfd4 47597->47601 47598->47601 47603 40cf31 47598->47603 47604 40cf84 47598->47604 47600 40ceee 47599->47600 47600->47245 47860 40cd48 47601->47860 47607 40da6f 32 API calls 47603->47607 47606 40da6f 32 API calls 47604->47606 47605 40cfe5 47608 40d01a 47605->47608 47616 40cff7 SetFileAttributesW 47605->47616 47610 40cf8a 47606->47610 47611 40cf37 47607->47611 47609 40d062 CloseHandle 47608->47609 47613 40417e 28 API calls 47608->47613 47892 401f04 47609->47892 47614 401f13 28 API calls 47610->47614 47615 401f13 28 API calls 47611->47615 47618 40d030 47613->47618 47619 40cf7e 47614->47619 47620 40cf43 47615->47620 47630 40d006 _wcslen 47616->47630 47617 40d07e ShellExecuteW 47621 40d091 47617->47621 47622 40d09b ExitProcess 47617->47622 47623 41bcef 28 API calls 47618->47623 47627 401f09 11 API calls 47619->47627 47624 401f09 11 API calls 47620->47624 47625 40d0a4 CreateMutexA GetLastError 47621->47625 47626 40d043 47623->47626 47628 40cf4c 47624->47628 47625->47600 47886 41384f RegCreateKeyW 47626->47886 47631 40cf9c 47627->47631 47629 409196 28 API calls 47628->47629 47632 40cf60 47629->47632 47630->47608 47633 40d017 SetFileAttributesW 47630->47633 47634 40cfa8 CreateDirectoryW 47631->47634 47635 403014 28 API calls 47632->47635 47633->47608 47898 401f04 47634->47898 47638 40cf6c 47635->47638 47641 401f13 28 API calls 47638->47641 47644 40cf75 47641->47644 47642 401f09 11 API calls 47642->47609 47645 401f09 11 API calls 47644->47645 47645->47619 47646->47113 47647->47122 47648->47126 47650->47152 47651->47180 47652->47172 47653->47165 47654->47179 47655->47250 47656->47269 47657->47231 47659 40209b 47658->47659 47660 4023ce 11 API calls 47659->47660 47661 4020a6 47660->47661 47946 4024ed 47661->47946 47664->47249 47665->47255 47666->47263 47667->47272 47668->47280 47669->47291 47670->47296 47671->47305 47672->47326 47673->47340 47674->47314 47675->47320 47677->47347 47678->47357 47679->47171 47681->47192 47682->47205 47950 41ada8 105 API calls 47683->47950 47685 41b556 LoadResource LockResource SizeofResource 47684->47685 47686 40f419 47684->47686 47685->47686 47687 43bda0 47686->47687 47688 4461b8 47687->47688 47689 4461f6 47688->47689 47690 4461e1 HeapAlloc 47688->47690 47691 4461ca ___crtLCMapStringA 47688->47691 47706 44062d 20 API calls __dosmaperr 47689->47706 47690->47691 47693 4461f4 47690->47693 47691->47689 47691->47690 47705 443001 7 API calls 2 library calls 47691->47705 47694 4461fb 47693->47694 47694->47391 47697 4020bf 47696->47697 47707 4023ce 47697->47707 47699 4020ca 47711 40250a 47699->47711 47701 4020d9 47701->47394 47703 4020b7 28 API calls 47702->47703 47704 406e27 47703->47704 47704->47401 47705->47691 47706->47694 47708 402428 47707->47708 47709 4023d8 47707->47709 47708->47699 47709->47708 47718 4027a7 11 API calls std::_Deallocate 47709->47718 47712 40251a 47711->47712 47713 402520 47712->47713 47714 402535 47712->47714 47719 402569 47713->47719 47729 4028e8 28 API calls 47714->47729 47717 402533 47717->47701 47718->47708 47730 402888 47719->47730 47721 40257d 47722 402592 47721->47722 47723 4025a7 47721->47723 47735 402a34 22 API calls 47722->47735 47737 4028e8 28 API calls 47723->47737 47726 40259b 47736 4029da 22 API calls 47726->47736 47728 4025a5 47728->47717 47729->47717 47731 402890 47730->47731 47732 402898 47731->47732 47738 402ca3 22 API calls 47731->47738 47732->47721 47735->47726 47736->47728 47737->47728 47740 4020e7 47739->47740 47741 4023ce 11 API calls 47740->47741 47742 4020f2 47741->47742 47742->47411 47743->47411 47744->47411 47745->47419 47746->47429 47747->47433 47748->47438 47749->47436 47753 4032aa 47751->47753 47752 4032c9 47752->47449 47753->47752 47755 4028e8 28 API calls 47753->47755 47755->47752 47757 4051fb 47756->47757 47766 405274 47757->47766 47759 405208 47759->47452 47761 402061 47760->47761 47762 4023ce 11 API calls 47761->47762 47763 40207b 47762->47763 47771 40267a 47763->47771 47767 405282 47766->47767 47770 4028a4 22 API calls 47767->47770 47772 40268b 47771->47772 47773 4023ce 11 API calls 47772->47773 47774 40208d 47773->47774 47774->47455 47775->47457 47776->47468 47779 41b362 47778->47779 47780 41c055 GetCurrentProcess IsWow64Process 47778->47780 47782 4135e1 RegOpenKeyExA 47779->47782 47780->47779 47781 41c06c 47780->47781 47781->47779 47783 413639 47782->47783 47784 41360f RegQueryValueExA RegCloseKey 47782->47784 47785 402093 28 API calls 47783->47785 47784->47783 47786 41364e 47785->47786 47786->47487 47787->47498 47789 40b947 47788->47789 47794 402252 47789->47794 47791 40b952 47798 40b967 47791->47798 47793 40b961 47793->47506 47795 4022ac 47794->47795 47796 40225c 47794->47796 47795->47791 47796->47795 47805 402779 11 API calls std::_Deallocate 47796->47805 47799 40b9a1 47798->47799 47800 40b973 47798->47800 47817 4028a4 22 API calls 47799->47817 47806 4027e6 47800->47806 47804 40b97d 47804->47793 47805->47795 47807 4027ef 47806->47807 47808 402851 47807->47808 47809 4027f9 47807->47809 47819 4028a4 22 API calls 47808->47819 47812 402802 47809->47812 47813 402815 47809->47813 47818 402aea 28 API calls __EH_prolog 47812->47818 47815 402813 47813->47815 47816 402252 11 API calls 47813->47816 47815->47804 47816->47815 47818->47815 47820->47509 47822 402347 47821->47822 47823 402252 11 API calls 47822->47823 47824 4023c7 47823->47824 47824->47509 47826 401f8e 47825->47826 47827 402252 11 API calls 47826->47827 47828 401f99 47827->47828 47828->47522 47828->47523 47828->47524 47830 404186 47829->47830 47831 402252 11 API calls 47830->47831 47832 404191 47831->47832 47841 4041bc 47832->47841 47835->47528 47836->47556 47837->47555 47838->47544 47839->47548 47840->47554 47842 4041c8 47841->47842 47845 4041d9 47842->47845 47844 40419c 47844->47536 47846 4041e9 47845->47846 47847 404206 47846->47847 47848 4041ef 47846->47848 47849 4027e6 28 API calls 47847->47849 47852 404267 28 API calls 47848->47852 47851 404204 47849->47851 47851->47844 47852->47851 47854 401f86 11 API calls 47853->47854 47855 4091a2 47854->47855 47899 40314c 47855->47899 47857 4091bf 47903 40325d 47857->47903 47859 4091c7 47859->47587 47861 40cdaa 47860->47861 47862 40cd6e 47860->47862 47864 40cdeb 47861->47864 47867 40b9b7 28 API calls 47861->47867 47917 40b9b7 47862->47917 47866 40ce2c 47864->47866 47869 40b9b7 28 API calls 47864->47869 47866->47605 47870 40cdc1 47867->47870 47868 403014 28 API calls 47871 40cd8a 47868->47871 47872 40ce02 47869->47872 47873 403014 28 API calls 47870->47873 47874 41384f 14 API calls 47871->47874 47875 403014 28 API calls 47872->47875 47876 40cdcb 47873->47876 47878 40cd9e 47874->47878 47879 40ce0c 47875->47879 47877 41384f 14 API calls 47876->47877 47880 40cddf 47877->47880 47881 401f09 11 API calls 47878->47881 47882 41384f 14 API calls 47879->47882 47883 401f09 11 API calls 47880->47883 47881->47861 47884 40ce20 47882->47884 47883->47864 47885 401f09 11 API calls 47884->47885 47885->47866 47887 4138a1 47886->47887 47889 413864 47886->47889 47888 401f09 11 API calls 47887->47888 47890 40d056 47888->47890 47891 41387d RegSetValueExW RegCloseKey 47889->47891 47890->47642 47891->47887 47924 403222 47893->47924 47895 403022 47928 403262 47895->47928 47900 403156 47899->47900 47901 4027e6 28 API calls 47900->47901 47902 403175 47900->47902 47901->47902 47902->47857 47904 40323f 47903->47904 47907 4036a6 47904->47907 47906 40324c 47906->47859 47908 402888 22 API calls 47907->47908 47909 4036b9 47908->47909 47910 40372c 47909->47910 47911 4036de 47909->47911 47916 4028a4 22 API calls 47910->47916 47914 4027e6 28 API calls 47911->47914 47915 4036f0 47911->47915 47914->47915 47915->47906 47918 401f86 11 API calls 47917->47918 47919 40b9c3 47918->47919 47920 40314c 28 API calls 47919->47920 47921 40b9df 47920->47921 47922 40325d 28 API calls 47921->47922 47923 40b9f2 47922->47923 47923->47868 47925 40322e 47924->47925 47934 403618 47925->47934 47927 40323b 47927->47895 47929 40326e 47928->47929 47930 402252 11 API calls 47929->47930 47931 403288 47930->47931 47932 402336 11 API calls 47931->47932 47933 403031 47932->47933 47933->47591 47935 403626 47934->47935 47936 403644 47935->47936 47937 40362c 47935->47937 47938 40365c 47936->47938 47939 40369e 47936->47939 47940 4036a6 28 API calls 47937->47940 47942 4027e6 28 API calls 47938->47942 47944 403642 47938->47944 47945 4028a4 22 API calls 47939->47945 47940->47944 47942->47944 47944->47927 47947 4024f9 47946->47947 47948 40250a 28 API calls 47947->47948 47949 4020b1 47948->47949 47949->47242 47958 412829 61 API calls 47953->47958

                                Executed Functions

                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                Function 0040EA00 Relevance: 90.0, APIs: 14, Strings: 37, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebda call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 98 40ebdf-40ebe3 69->98 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 89 40ec47-40ec49 81->89 90 40ec4e-40ec55 81->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 97->81 98->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 98->101 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 142 40ec9c-40eca2 120->142 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 142->108 143 40eca4-40ecaa 142->143 143->108 146 40ecac call 40729b 143->146 146->108 177->178 205 40ed70-40ed9c call 401e65 call 401fab call 401e65 call 401fab call 40da6f 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee40 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 271 40ee45-40ee48 184->271 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 246 40eda1-40edb6 call 401f13 call 401f09 205->246 218 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 212->218 213->218 218->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 218->286 287 40f017-40f019 236->287 288 40effc 236->288 246->178 271->191 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 402 40f27b 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->427 418->416 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 0040EA29
                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: ,aF$,aF$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\file.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-HWAIZA$Rmc-HWAIZA-W$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                • API String ID: 2830904901-4292033497
                                • Opcode ID: fe1218dcdd2ee8f5bc1f153358e3bb53c57fd8df722902b52d449cfd859b7d86
                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                • Opcode Fuzzy Hash: fe1218dcdd2ee8f5bc1f153358e3bb53c57fd8df722902b52d449cfd859b7d86
                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • _wcslen.LIBCMT ref: 0040CE42
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\file.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                • _wcslen.LIBCMT ref: 0040CF21
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\file.exe,00000000,00000000), ref: 0040CFBF
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                • _wcslen.LIBCMT ref: 0040D001
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                • ExitProcess.KERNEL32 ref: 0040D09D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                • String ID: 6$C:\Users\user\Desktop\file.exe$del$open$xdF
                                • API String ID: 1579085052-2055140473
                                • Opcode ID: 6495fde6b392f9eb858c2a3303a44b43b13ad5651f9396b40cf209a04b4d567a
                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                • Opcode Fuzzy Hash: 6495fde6b392f9eb858c2a3303a44b43b13ad5651f9396b40cf209a04b4d567a
                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: f677b184e2958f0b2dd312a30a97c4d74d468730a3d54230eeada2fdf4b7ea91
                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                • Opcode Fuzzy Hash: f677b184e2958f0b2dd312a30a97c4d74d468730a3d54230eeada2fdf4b7ea91
                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-2070987746
                                • Opcode ID: 097ad4c18ec624fedb80d4884fd642f61090c82991f5822b1a7281923b4d9afc
                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                • Opcode Fuzzy Hash: 097ad4c18ec624fedb80d4884fd642f61090c82991f5822b1a7281923b4d9afc
                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 656 41384f-413862 RegCreateKeyW 657 4138a1 656->657 658 413864-41389f call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 660 4138a3-4138b1 call 401f09 657->660 658->660
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,771B37E0,?), ref: 00413888
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,771B37E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 1818849710-1051519024
                                • Opcode ID: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                • Opcode Fuzzy Hash: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 666 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                • GetLastError.KERNEL32 ref: 0040D0BE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: Rmc-HWAIZA
                                • API String ID: 1925916568-1998418401
                                • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 669 4135e1-41360d RegOpenKeyExA 670 413642 669->670 671 41360f-413637 RegQueryValueExA RegCloseKey 669->671 672 413644 670->672 671->672 673 413639-413640 671->673 674 413649-413655 call 402093 672->674 673->674
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                • RegCloseKey.KERNEL32(?), ref: 0041362D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 677 413584-4135ac RegOpenKeyExA 678 4135db 677->678 679 4135ae-4135d9 RegQueryValueExA RegCloseKey 677->679 680 4135dd-4135e0 678->680 679->680
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94

                                Non-executed Functions

                                Function 00407CD2 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 835filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                • API String ID: 1067849700-414524693
                                • Opcode ID: fcdbf4fb6dd101d42f9977cf6d492e888bbba3eaf2df88b777301792a4f9f952
                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                • Opcode Fuzzy Hash: fcdbf4fb6dd101d42f9977cf6d492e888bbba3eaf2df88b777301792a4f9f952
                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: 4e0e51eae43e70e6e71cd3b3c3200dbf323499d4a63d623091f524599769142d
                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                • Opcode Fuzzy Hash: 4e0e51eae43e70e6e71cd3b3c3200dbf323499d4a63d623091f524599769142d
                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                Function 00412132 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                  • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Remcos restarted by watchdog!$Rmc-HWAIZA-W$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                • API String ID: 3018269243-704763658
                                • Opcode ID: 5b39788ef8af416a2787ea4c2b95ca84e87902529ae54a03cad292e105e626db
                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                • Opcode Fuzzy Hash: 5b39788ef8af416a2787ea4c2b95ca84e87902529ae54a03cad292e105e626db
                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: 84272cd078f5dd96425807e02dfef06d30edfacf1bd987a36cf4d4ac3b33a48d
                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                • Opcode Fuzzy Hash: 84272cd078f5dd96425807e02dfef06d30edfacf1bd987a36cf4d4ac3b33a48d
                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168FD
                                • EmptyClipboard.USER32 ref: 0041690B
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                • CloseClipboard.USER32 ref: 00416990
                                • OpenClipboard.USER32 ref: 00416997
                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                • CloseClipboard.USER32 ref: 004169BF
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@$xdF
                                • API String ID: 3520204547-3540039394
                                • Opcode ID: f76d19ba9205f9d175998ddab78cc985ebb73623b778e01421a556dab9364850
                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                • Opcode Fuzzy Hash: f76d19ba9205f9d175998ddab78cc985ebb73623b778e01421a556dab9364850
                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                Function 0040F4AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF
                                • API String ID: 3756808967-2341171916
                                • Opcode ID: e719c4079ecc538e3d72e9f93569120f8f081c39d9c1cb93760889fb79dc4b35
                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                • Opcode Fuzzy Hash: e719c4079ecc538e3d72e9f93569120f8f081c39d9c1cb93760889fb79dc4b35
                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$File$FirstNext
                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 3527384056-432212279
                                • Opcode ID: 11f57d61b12c0efa0043e7d00ad3c85788b2faa7f690f7da1a38fb2ea654c925
                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                • Opcode Fuzzy Hash: 11f57d61b12c0efa0043e7d00ad3c85788b2faa7f690f7da1a38fb2ea654c925
                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0041A04A
                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                • API String ID: 489098229-1431523004
                                • Opcode ID: 965bdd5cead83715db6b8d3f537c7cfccf5eddc26aa64969169a3fa2730a8ce0
                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                • Opcode Fuzzy Hash: 965bdd5cead83715db6b8d3f537c7cfccf5eddc26aa64969169a3fa2730a8ce0
                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                • Opcode Fuzzy Hash: 22386a43a60047858d5371973b5e3297a85e3cc3c05708fada6b2de72b5e662f
                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                • Opcode Fuzzy Hash: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-3345310279
                                • Opcode ID: 0c2a3801cae00969e12b127efc78c0bcf29ed3b0a45619b825154084a83bf59e
                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                • Opcode Fuzzy Hash: 0c2a3801cae00969e12b127efc78c0bcf29ed3b0a45619b825154084a83bf59e
                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 0040755C
                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                • GetLastError.KERNEL32 ref: 0041A84C
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: 85b1aa034cf2ca10e34f36ec718ddd18335c5ccdfa8f2919256ba29ae802ac4e
                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                • Opcode Fuzzy Hash: 85b1aa034cf2ca10e34f36ec718ddd18335c5ccdfa8f2919256ba29ae802ac4e
                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                Function 00419B86 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: 8SG$8eF$PXG$PXG$NG$PG
                                • API String ID: 341183262-432830541
                                • Opcode ID: 5000a1ae517004edb588aecbc8a4db28259567cc90a4b3620c8caad66856040e
                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                • Opcode Fuzzy Hash: 5000a1ae517004edb588aecbc8a4db28259567cc90a4b3620c8caad66856040e
                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID: JD$JD$JD
                                • API String ID: 745075371-3517165026
                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: 06f370a9e4983d2c58a933ed4bed50165899f0e3413c28458b6448c666c51bfd
                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                • Opcode Fuzzy Hash: 06f370a9e4983d2c58a933ed4bed50165899f0e3413c28458b6448c666c51bfd
                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                • GetLastError.KERNEL32 ref: 0040A328
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                • TranslateMessage.USER32(?), ref: 0040A385
                                • DispatchMessageA.USER32(?), ref: 0040A390
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: ee9b61757b1d841530661ae87ecce44939ab300f3fbebbd6f189632f482ecdb9
                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                • Opcode Fuzzy Hash: ee9b61757b1d841530661ae87ecce44939ab300f3fbebbd6f189632f482ecdb9
                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0040A451
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                • GetKeyState.USER32(00000010), ref: 0040A46E
                                • GetKeyboardState.USER32(?), ref: 0040A479
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                Function 004541D9 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$PkGNG
                                • API String ID: 4168288129-3873169313
                                • Opcode ID: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                • Opcode Fuzzy Hash: ed5127cdc400e90a0cd04182132ef1189bad1dc249964083a3aeb657203f5d4f
                                • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: f945da85bb6bebb72834e1637a6fb62ef5415d014cc959b1a16cbfa1d09daad7
                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                • Opcode Fuzzy Hash: f945da85bb6bebb72834e1637a6fb62ef5415d014cc959b1a16cbfa1d09daad7
                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00449292
                                • _free.LIBCMT ref: 004492B6
                                • _free.LIBCMT ref: 0044943D
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                • _free.LIBCMT ref: 00449609
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: 96204728cb61d8c15a3af11bbf12a0fe686246dcf5e600d22fc5db37ebe197ba
                                • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                • Opcode Fuzzy Hash: 96204728cb61d8c15a3af11bbf12a0fe686246dcf5e600d22fc5db37ebe197ba
                                • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadExecuteFileShell
                                • String ID: 0aF$0aF$C:\Users\user\Desktop\file.exe$open
                                • API String ID: 2825088817-2797839479
                                • Opcode ID: 8d14234489d2dc2ef74fbffaebafc3077de5391ae8676338d369892ecc6f296d
                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                • Opcode Fuzzy Hash: 8d14234489d2dc2ef74fbffaebafc3077de5391ae8676338d369892ecc6f296d
                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040884C
                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID: xdF
                                • API String ID: 1771804793-999140092
                                • Opcode ID: 9f3222fd4972e7f08ae4cd94b003485bbb971300a115a932fd628a62a647425b
                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                • Opcode Fuzzy Hash: 9f3222fd4972e7f08ae4cd94b003485bbb971300a115a932fd628a62a647425b
                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 2cc4c98366e7808a271e7c632f75cb50a4f1af551eb6cb73e97900443625eaee
                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                • Opcode Fuzzy Hash: 2cc4c98366e7808a271e7c632f75cb50a4f1af551eb6cb73e97900443625eaee
                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                • GetLastError.KERNEL32 ref: 0040BA93
                                Strings
                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                • UserProfile, xrefs: 0040BA59
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                • Opcode Fuzzy Hash: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                • GetLastError.KERNEL32 ref: 004179D8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409293
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: ff3fa93bb162536d5c9b5af999d8eb32324236848a0741c788d8c8c5ee2ae2a2
                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                • Opcode Fuzzy Hash: ff3fa93bb162536d5c9b5af999d8eb32324236848a0741c788d8c8c5ee2ae2a2
                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: FSE$FSE$PkGNG
                                • API String ID: 0-1266307253
                                • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                • Opcode Fuzzy Hash: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                  • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                  • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                • ExitProcess.KERNEL32 ref: 0040F905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 5.1.2 Pro$override$pth_unenc
                                • API String ID: 2281282204-3554326054
                                • Opcode ID: a714137567908d9c97d324425ccf51a11c07c7ab7429f9148a74f36fb29f3f55
                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                • Opcode Fuzzy Hash: a714137567908d9c97d324425ccf51a11c07c7ab7429f9148a74f36fb29f3f55
                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: 8eF$XPG$XPG
                                • API String ID: 4113138495-4157548504
                                • Opcode ID: 41684cb1e88a3f667192eedea710f542025b1d24c6d635ee1a598caf91c6a2f1
                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                • Opcode Fuzzy Hash: 41684cb1e88a3f667192eedea710f542025b1d24c6d635ee1a598caf91c6a2f1
                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                  • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                  • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3126330168
                                • Opcode ID: f00c69a75e1b3afaad6a5a5a919f895949413b17b23121d32957091e0e165462
                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                • Opcode Fuzzy Hash: f00c69a75e1b3afaad6a5a5a919f895949413b17b23121d32957091e0e165462
                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 004096A5
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: d95c5d10ec8c802ca17e1fdb0925f1667ecef1613424a6e27ce08fc68be056f6
                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                • Opcode Fuzzy Hash: d95c5d10ec8c802ca17e1fdb0925f1667ecef1613424a6e27ce08fc68be056f6
                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                • ExitProcess.KERNEL32 ref: 0044338F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID: PkGNG
                                • API String ID: 1703294689-263838557
                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                • String ID:
                                • API String ID: 4212172061-0
                                • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: p'E$JD
                                • API String ID: 1084509184-908320845
                                • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorInfoLastLocale$_free$_abort
                                • String ID:
                                • API String ID: 2829624132-0
                                • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$Context$AcquireRandomRelease
                                • String ID:
                                • API String ID: 1815803762-0
                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 0040B74C
                                • GetClipboardData.USER32(0000000D), ref: 0040B758
                                • CloseClipboard.USER32 ref: 0040B760
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseDataOpen
                                • String ID:
                                • API String ID: 2058664381-0
                                • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenResume
                                • String ID:
                                • API String ID: 3614150671-0
                                • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenSuspend
                                • String ID:
                                • API String ID: 1999457699-0
                                • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                Function 004533AB Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,000000FF,?,00000008,PkGNG,PkGNG,004533A6,000000FF,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID: PkGNG
                                • API String ID: 3997070919-263838557
                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-3916222277
                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .
                                • API String ID: 0-248832578
                                • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: JD
                                • API String ID: 1084509184-2669065882
                                • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: GetLocaleInfoEx
                                • API String ID: 2299586839-2904428671
                                • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name$ComputerUser
                                • String ID:
                                • API String ID: 4229901323-0
                                • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                Function 0041DBF3 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG$wA
                                • API String ID: 0-1404076192
                                • Opcode ID: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                • Opcode Fuzzy Hash: a138c4e0aeabb2bccdb66877e2b9435159f75a40726a9d3314504188017a6109
                                • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                Function 0043DEED Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$PkGNG
                                • API String ID: 0-1056914901
                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$FreeProcess
                                • String ID:
                                • API String ID: 3859560861-0
                                • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                Function 0042742E Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                • Opcode Fuzzy Hash: cd36fe8c387ca2855096d15b7bf2cfed8e34aa58cb0db234df7a19e6c716ea84
                                • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                Function 00426E9F Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                • Opcode Fuzzy Hash: 88b47d59bd8f9e39717b2a9a8c0dcea2e64fabbb26349240269cb2a589f8870d
                                • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$InfoLocale_abort
                                • String ID:
                                • API String ID: 1663032902-0
                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale_abort_free
                                • String ID:
                                • API String ID: 2692324296-0
                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                • Instruction Fuzzy Hash:
                                Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                • Opcode Fuzzy Hash: 51b096497e0208ccec2a2f4b5eaf582f7b18d03e206244163c5319e84589e6e5
                                • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                Function 0043797E Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                Function 00437566 Relevance: .3, Instructions: 323COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                • Opcode Fuzzy Hash: f668ae4ce8ddce9dd25c23f8729a4a0b6b4a9a792d26258ec3aea80ac56d2768
                                • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1250 418eb1-418ef8 CreateDCA CreateCompatibleDC call 419360 1253 418efa-418efc 1250->1253 1254 418efe-418f19 call 4193a2 1250->1254 1253->1254 1255 418f1d-418f1f 1253->1255 1254->1255 1258 418f71-418f78 call 402093 1255->1258 1259 418f21-418f23 1255->1259 1262 418f7d-418f89 1258->1262 1259->1258 1260 418f25-418f5c call 4193d8 CreateCompatibleBitmap 1259->1260 1265 418f8a-418f94 SelectObject 1260->1265 1266 418f5e-418f6a DeleteDC * 2 1260->1266 1267 418fa5-418fcc StretchBlt 1265->1267 1268 418f96 1265->1268 1269 418f6b DeleteObject 1266->1269 1267->1268 1271 418fce-418fd3 1267->1271 1270 418f97-418fa3 DeleteDC * 2 1268->1270 1269->1258 1270->1269 1272 418fd5-418fea GetCursorInfo 1271->1272 1273 41904f-419057 1271->1273 1272->1273 1274 418fec-419000 GetIconInfo 1272->1274 1275 419099-4190ab GetObjectA 1273->1275 1276 419059-419060 1273->1276 1274->1273 1277 419002-41904b DeleteObject * 2 DrawIcon 1274->1277 1275->1268 1280 4190b1-4190c3 1275->1280 1278 419062-419087 BitBlt 1276->1278 1279 419089-419096 1276->1279 1277->1273 1278->1275 1279->1275 1281 4190c5-4190c7 1280->1281 1282 4190c9-4190d3 1280->1282 1283 419100 1281->1283 1284 4190d5-4190df 1282->1284 1285 419104-41910d 1282->1285 1283->1285 1284->1285 1286 4190e1-4190eb 1284->1286 1287 41910e-419148 LocalAlloc 1285->1287 1286->1285 1288 4190ed-4190f3 1286->1288 1289 419154-41918b GlobalAlloc 1287->1289 1290 41914a-419151 1287->1290 1291 4190f5-4190fb 1288->1291 1292 4190fd-4190ff 1288->1292 1293 419196-4191ab GetDIBits 1289->1293 1294 41918d-419191 1289->1294 1290->1289 1291->1287 1292->1283 1295 4191d3-41929b call 4020df * 2 call 40250a call 403376 call 40250a call 403376 call 40250a call 403376 DeleteObject GlobalFree DeleteDC 1293->1295 1296 4191ad-4191ce DeleteDC * 2 DeleteObject GlobalFree 1293->1296 1294->1270 1313 4192a0-4192c4 call 402055 call 401fd8 * 2 1295->1313 1314 41929d-41929e DeleteDC 1295->1314 1296->1258 1313->1262 1314->1313
                                APIs
                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                • GetCursorInfo.USER32(?), ref: 00418FE2
                                • GetIconInfo.USER32(?,?), ref: 00418FF8
                                • DeleteObject.GDI32(?), ref: 00419027
                                • DeleteObject.GDI32(?), ref: 00419034
                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                • DeleteDC.GDI32(?), ref: 004191B7
                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                • GlobalFree.KERNEL32(?), ref: 00419283
                                • DeleteDC.GDI32(?), ref: 00419293
                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                • String ID: DISPLAY
                                • API String ID: 4256916514-865373369
                                • Opcode ID: 8b6b0303c96bfbec82164a612603de16d299020e144a6f61fdedad8e58236794
                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                • Opcode Fuzzy Hash: 8b6b0303c96bfbec82164a612603de16d299020e144a6f61fdedad8e58236794
                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1321 40d45b-40d471 call 41288b 1324 40d473-40d478 call 40b8e7 1321->1324 1325 40d47d-40d486 1321->1325 1324->1325 1327 40d488 call 419b25 1325->1327 1328 40d48d-40d494 1325->1328 1327->1328 1330 40d496-40d4a2 call 401f04 call 41c322 1328->1330 1331 40d4a7-40d4b7 1328->1331 1330->1331 1333 40d4b9-40d4cd call 401f04 call 413a5e 1331->1333 1334 40d4ce-40d4d9 1331->1334 1333->1334 1337 40d4db-40d4ec call 401f04 call 413a5e 1334->1337 1338 40d4ed-40d4f3 1334->1338 1337->1338 1339 40d4f5-40d509 call 401f04 call 413a5e 1338->1339 1340 40d50a-40d54c call 40247c call 401fab * 2 call 413733 1338->1340 1339->1340 1361 40d55e-40d5a2 call 401fab RegDeleteKeyA SetFileAttributesW call 4077f2 1340->1361 1362 40d54e-40d558 GetModuleFileNameW 1340->1362 1367 40d5a4-40d5b4 call 401f04 SetFileAttributesW 1361->1367 1368 40d5b6-40d60e call 43c11f call 40417e call 403014 call 401f09 call 40417e call 4042fc call 401f09 1361->1368 1362->1361 1367->1368 1385 40d610-40d662 call 40417e call 4042fc call 403014 call 40325d call 401f09 * 3 1368->1385 1386 40d667-40d6c2 call 40417e call 403014 * 2 call 40325d call 401f09 * 3 1368->1386 1385->1386 1414 40d6d2-40d6e2 call 4077f2 1386->1414 1415 40d6c4-40d6cd call 40908d 1386->1415 1419 40d6e4-40d718 call 40b9b7 call 403014 call 40325d call 401f09 * 2 1414->1419 1420 40d71d-40d7ea call 40417e * 2 call 40431d call 402fa5 call 403014 call 40325d call 401f09 * 5 call 40908d call 401f04 call 40247c call 401f04 call 41c482 1414->1420 1415->1414 1419->1420 1462 40d811-40d839 call 401f09 * 3 1420->1462 1463 40d7ec-40d808 call 401f04 ShellExecuteW 1420->1463 1463->1462 1468 40d80a-40d80b ExitProcess 1463->1468
                                APIs
                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                • ExitProcess.KERNEL32 ref: 0040D80B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xdF$xpF
                                • API String ID: 1861856835-1269936466
                                • Opcode ID: bd9c7a120103762ee60ce6841dd10599632ffc2db03f438adf33a67576af407f
                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                • Opcode Fuzzy Hash: bd9c7a120103762ee60ce6841dd10599632ffc2db03f438adf33a67576af407f
                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                • ResumeThread.KERNEL32(?), ref: 00418470
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                • GetLastError.KERNEL32 ref: 004184B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                • ExitProcess.KERNEL32 ref: 0040D454
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xdF$xpF
                                • API String ID: 3797177996-2858374497
                                • Opcode ID: e5d4569d915e38512547a33ccc5597b1a4c7de618245b42ae0df54747f27e8f7
                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                • Opcode Fuzzy Hash: e5d4569d915e38512547a33ccc5597b1a4c7de618245b42ae0df54747f27e8f7
                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$8SG$Rmc-HWAIZA-W$WDH$exepath$open$temp_
                                • API String ID: 2649220323-2306212374
                                • Opcode ID: 9c1648c54b31a472f1cdb08b88d719ce28c8705385c41e8023acb639ad9ad85c
                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                • Opcode Fuzzy Hash: 9c1648c54b31a472f1cdb08b88d719ce28c8705385c41e8023acb639ad9ad85c
                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                • SetEvent.KERNEL32 ref: 0041B2AA
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 0fbf736d3383e5cc5d491e169fc612faaeb06a6d706925a020033915c25ef3a5
                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                • Opcode Fuzzy Hash: 0fbf736d3383e5cc5d491e169fc612faaeb06a6d706925a020033915c25ef3a5
                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\file.exe,00000001,00407688,C:\Users\user\Desktop\file.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Users\user\Desktop\file.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-3783450905
                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                • _wcslen.LIBCMT ref: 0041C1CC
                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                • GetLastError.KERNEL32 ref: 0041C204
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                • GetLastError.KERNEL32 ref: 0041C261
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                Function 00412AEF Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                • API String ID: 1223786279-4119708859
                                • Opcode ID: 45bb86a03d236021c2b5709561dafa45d2a2b4b61918cb452c046091fb1f1ee4
                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                • Opcode Fuzzy Hash: 45bb86a03d236021c2b5709561dafa45d2a2b4b61918cb452c046091fb1f1ee4
                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                Function 00408BB5 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                • __aulldiv.LIBCMT ref: 00408D88
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                • API String ID: 3086580692-3944908133
                                • Opcode ID: 19b51cd863cd886cd5e98cd52eeaca39aba847a63965172dc943cb0bd9086d01
                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                • Opcode Fuzzy Hash: 19b51cd863cd886cd5e98cd52eeaca39aba847a63965172dc943cb0bd9086d01
                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                Function 0040A761 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: 8SG$8SG$pQG$pQG$xdF$PG$PG
                                • API String ID: 3795512280-661585845
                                • Opcode ID: 38bcf4da2818a4b96d4ef165a0e03b891759a86788c01250a05b120b3fa8ba34
                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                • Opcode Fuzzy Hash: 38bcf4da2818a4b96d4ef165a0e03b891759a86788c01250a05b120b3fa8ba34
                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                Function 00414DC1 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 109libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                • String ID: EIA$\ws2_32$\wship6$getaddrinfo
                                • API String ID: 2490988753-3348721785
                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                • GetCursorPos.USER32(?), ref: 0041D67A
                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                • SetEvent.KERNEL32(00000000), ref: 00404E43
                                • CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                                • SetEvent.KERNEL32(00000000), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                                • SetEvent.KERNEL32(00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                                • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                                • SetEvent.KERNEL32(00000000), ref: 00404ED1
                                • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                • String ID: PkGNG
                                • API String ID: 3658366068-263838557
                                • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$Info
                                • String ID:
                                • API String ID: 2509303402-0
                                • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                  • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                  • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                  • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$xdF
                                • API String ID: 1913171305-1736969612
                                • Opcode ID: 2f2d6e49ba912313e16d8da3eed41f081edfcc2e264bbf73932c94776b7c16d5
                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                • Opcode Fuzzy Hash: 2f2d6e49ba912313e16d8da3eed41f081edfcc2e264bbf73932c94776b7c16d5
                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-3229884001
                                • Opcode ID: 8727b35ab32fadf03299dd4f76dfb967f59a8876f9b97ca3f207b2ef3db9db61
                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                • Opcode Fuzzy Hash: 8727b35ab32fadf03299dd4f76dfb967f59a8876f9b97ca3f207b2ef3db9db61
                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                • _free.LIBCMT ref: 0045137F
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 004513A1
                                • _free.LIBCMT ref: 004513B6
                                • _free.LIBCMT ref: 004513C1
                                • _free.LIBCMT ref: 004513E3
                                • _free.LIBCMT ref: 004513F6
                                • _free.LIBCMT ref: 00451404
                                • _free.LIBCMT ref: 0045140F
                                • _free.LIBCMT ref: 00451447
                                • _free.LIBCMT ref: 0045144E
                                • _free.LIBCMT ref: 0045146B
                                • _free.LIBCMT ref: 00451483
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                • GetLastError.KERNEL32 ref: 00455D6F
                                • __dosmaperr.LIBCMT ref: 00455D76
                                • GetFileType.KERNEL32(00000000), ref: 00455D82
                                • GetLastError.KERNEL32 ref: 00455D8C
                                • __dosmaperr.LIBCMT ref: 00455D95
                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                • GetLastError.KERNEL32 ref: 00455F31
                                • __dosmaperr.LIBCMT ref: 00455F38
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                • __freea.LIBCMT ref: 0044AEB0
                                  • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                • __freea.LIBCMT ref: 0044AEB9
                                • __freea.LIBCMT ref: 0044AEDE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                • String ID: PkGNG$tC
                                • API String ID: 2597970681-4196309852
                                • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                • GetForegroundWindow.USER32 ref: 0040AD84
                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                • String ID: [${ User has been idle for $ minutes }$]
                                • API String ID: 911427763-3954389425
                                • Opcode ID: 3b86e5728e4c13149801c170c30695205492d28a0b9ccacfa345e82a3404f02b
                                • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                • Opcode Fuzzy Hash: 3b86e5728e4c13149801c170c30695205492d28a0b9ccacfa345e82a3404f02b
                                • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 0041697C
                                • EmptyClipboard.USER32 ref: 0041698A
                                • CloseClipboard.USER32 ref: 00416990
                                • OpenClipboard.USER32 ref: 00416997
                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                • CloseClipboard.USER32 ref: 004169BF
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@$xdF
                                • API String ID: 2172192267-3540039394
                                • Opcode ID: ed6f958512443405e6a7d63718444cd0706a6b1459f0150e95220e4de6b931e6
                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                • Opcode Fuzzy Hash: ed6f958512443405e6a7d63718444cd0706a6b1459f0150e95220e4de6b931e6
                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                • __dosmaperr.LIBCMT ref: 0043A926
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                • __dosmaperr.LIBCMT ref: 0043A963
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                • _free.LIBCMT ref: 0043A9C3
                                • _free.LIBCMT ref: 0043A9CA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32(?), ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 6c159af9cd5de4418d7d7e9ea082b42dfe52a86a5cabd9b9fe227efbe021e931
                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                • Opcode Fuzzy Hash: 6c159af9cd5de4418d7d7e9ea082b42dfe52a86a5cabd9b9fe227efbe021e931
                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                Function 00413D48 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumInfoOpenQuerysend
                                • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                • API String ID: 3114080316-4028018678
                                • Opcode ID: fe168792520c5793dc05ba58198f1e2536225567b4564e2a0964fe8040b98874
                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                • Opcode Fuzzy Hash: fe168792520c5793dc05ba58198f1e2536225567b4564e2a0964fe8040b98874
                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                • String ID: 0VG$0VG$<$@$Temp
                                • API String ID: 1704390241-2575729100
                                • Opcode ID: 373971d0b9ba22d7e40d57986431c1bc6258092355ab0a6007605fd9627d990e
                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                • Opcode Fuzzy Hash: 373971d0b9ba22d7e40d57986431c1bc6258092355ab0a6007605fd9627d990e
                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                • int.LIBCPMT ref: 00410EBC
                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                • String ID: ,kG$0kG$@!G
                                • API String ID: 3815856325-312998898
                                • Opcode ID: 691fe6bb791e4545bf7d4213160ce4246fafe9108d6505ece18590782863a067
                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                • Opcode Fuzzy Hash: 691fe6bb791e4545bf7d4213160ce4246fafe9108d6505ece18590782863a067
                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                • Opcode Fuzzy Hash: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004481B5
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 004481C1
                                • _free.LIBCMT ref: 004481CC
                                • _free.LIBCMT ref: 004481D7
                                • _free.LIBCMT ref: 004481E2
                                • _free.LIBCMT ref: 004481ED
                                • _free.LIBCMT ref: 004481F8
                                • _free.LIBCMT ref: 00448203
                                • _free.LIBCMT ref: 0044820E
                                • _free.LIBCMT ref: 0044821C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                Strings
                                • DisplayName, xrefs: 0041C7CD
                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                • API String ID: 1332880857-3614651759
                                • Opcode ID: 3db40d5ffb7d5cbecbf5d8d3116ac388286af9b652dd10e74880dfaeabcecbc5
                                • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                • Opcode Fuzzy Hash: 3db40d5ffb7d5cbecbf5d8d3116ac388286af9b652dd10e74880dfaeabcecbc5
                                • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                • API String ID: 3578746661-3604713145
                                • Opcode ID: 143e293dc448f1e5c105ad38ef57f5737fd13c20a1ae079dd900b3adf54cbd4b
                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                • Opcode Fuzzy Hash: 143e293dc448f1e5c105ad38ef57f5737fd13c20a1ae079dd900b3adf54cbd4b
                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                • __fassign.LIBCMT ref: 0044B4F9
                                • __fassign.LIBCMT ref: 0044B514
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID: PkGNG
                                • API String ID: 1324828854-263838557
                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: c9351419a8621dca6a60e6cb18ed357e990f665e55303286421ffa03bd094677
                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                • Opcode Fuzzy Hash: c9351419a8621dca6a60e6cb18ed357e990f665e55303286421ffa03bd094677
                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\file.exe), ref: 004074D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • _strftime.LIBCMT ref: 00401D50
                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                • API String ID: 3809562944-243156785
                                • Opcode ID: c585949dd3bb61b8991127a735a6e95ad44a9e3dd2dd4a23ca6c15d195e89e56
                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                • Opcode Fuzzy Hash: c585949dd3bb61b8991127a735a6e95ad44a9e3dd2dd4a23ca6c15d195e89e56
                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: dMG$|MG$PG
                                • API String ID: 1356121797-532278878
                                • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                • TranslateMessage.USER32(?), ref: 0041D57A
                                • DispatchMessageA.USER32(?), ref: 0041D584
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                • __alloca_probe_16.LIBCMT ref: 00454014
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                  • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                • __freea.LIBCMT ref: 00454083
                                • __freea.LIBCMT ref: 0045408F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                • String ID:
                                • API String ID: 3256262068-0
                                • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                • _free.LIBCMT ref: 00445515
                                • _free.LIBCMT ref: 0044552E
                                • _free.LIBCMT ref: 00445560
                                • _free.LIBCMT ref: 00445569
                                • _free.LIBCMT ref: 00445575
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: PkG$XMG$NG$NG
                                • API String ID: 1649129571-3151166067
                                • Opcode ID: 1f68019d026f5db955a365a40989cf1478848d523317d77e024de1e0255c4bf1
                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                • Opcode Fuzzy Hash: 1f68019d026f5db955a365a40989cf1478848d523317d77e024de1e0255c4bf1
                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: b090607113a256cb4db50371f0e2807fa5fe8ef22662c364554b32ed8325629b
                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                • Opcode Fuzzy Hash: b090607113a256cb4db50371f0e2807fa5fe8ef22662c364554b32ed8325629b
                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$Window$AllocOutputShow
                                • String ID: Remcos v$5.1.2 Pro$CONOUT$
                                • API String ID: 4067487056-1584637518
                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32 ref: 00419A25
                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend$Virtual
                                • String ID:
                                • API String ID: 1167301434-0
                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$h{D
                                • API String ID: 2936374016-2303565833
                                • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                • _free.LIBCMT ref: 00444E87
                                • _free.LIBCMT ref: 00444E9E
                                • _free.LIBCMT ref: 00444EBD
                                • _free.LIBCMT ref: 00444ED8
                                • _free.LIBCMT ref: 00444EEF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$AllocHeap
                                • String ID: KED
                                • API String ID: 1835388192-2133951994
                                • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 216f8fb6fede5631b8986906638379c63e93da7f4b159e3140e3e5904691cc12
                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                • Opcode Fuzzy Hash: 216f8fb6fede5631b8986906638379c63e93da7f4b159e3140e3e5904691cc12
                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                • __alloca_probe_16.LIBCMT ref: 00451231
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                • __freea.LIBCMT ref: 0045129D
                                  • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                • String ID: PkGNG
                                • API String ID: 1857427562-263838557
                                • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                • _wcslen.LIBCMT ref: 0041B7F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-122982132
                                • Opcode ID: 9d133ee59836a40fd836fe8c9881721a949b752582f63eb8daa0b6218c0d1483
                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                • Opcode Fuzzy Hash: 9d133ee59836a40fd836fe8c9881721a949b752582f63eb8daa0b6218c0d1483
                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                • API String ID: 1133728706-4073444585
                                • Opcode ID: 1170c70cc24d2befb54ece29b40817bddecf8c58df688f5790fffc0aa4d9cc86
                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                • Opcode Fuzzy Hash: 1170c70cc24d2befb54ece29b40817bddecf8c58df688f5790fffc0aa4d9cc86
                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                • _free.LIBCMT ref: 00450FC8
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00450FD3
                                • _free.LIBCMT ref: 00450FDE
                                • _free.LIBCMT ref: 00451032
                                • _free.LIBCMT ref: 0045103D
                                • _free.LIBCMT ref: 00451048
                                • _free.LIBCMT ref: 00451053
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                • int.LIBCPMT ref: 004111BE
                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\file.exe), ref: 0040760B
                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                • CoUninitialize.OLE32 ref: 00407664
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Users\user\Desktop\file.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-1769957369
                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                • GetLastError.KERNEL32 ref: 0040BB22
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                • UserProfile, xrefs: 0040BAE8
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                • Opcode Fuzzy Hash: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: C:\Users\user\Desktop\file.exe$Rmc-HWAIZA$xdF
                                • API String ID: 0-953339260
                                • Opcode ID: 9ede8093406f94065d2c8ec1b346fdbac0eadabd7f062fb770d3fd7eb18269e7
                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                • Opcode Fuzzy Hash: 9ede8093406f94065d2c8ec1b346fdbac0eadabd7f062fb770d3fd7eb18269e7
                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$PkGNG$mscoree.dll
                                • API String ID: 4061214504-213444651
                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                Function 004440E8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444106
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00444118
                                • _free.LIBCMT ref: 0044412B
                                • _free.LIBCMT ref: 0044413C
                                • _free.LIBCMT ref: 0044414D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID: x[h
                                • API String ID: 776569668-3213200655
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043ACE9
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                • __allrem.LIBCMT ref: 0043AD1C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                • __allrem.LIBCMT ref: 0043AD51
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: f6eed5a025c33a72db7f2e3148006b368f6608b0559b856221c9dc04da3fa1ca
                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                • Opcode Fuzzy Hash: f6eed5a025c33a72db7f2e3148006b368f6608b0559b856221c9dc04da3fa1ca
                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                • String ID:
                                • API String ID: 3950776272-0
                                • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                • String ID:
                                • API String ID: 493672254-0
                                • Opcode ID: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                • Opcode Fuzzy Hash: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID: PkGNG
                                • API String ID: 1036877536-263838557
                                • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                • _free.LIBCMT ref: 004482CC
                                • _free.LIBCMT ref: 004482F4
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                • _abort.LIBCMT ref: 00448313
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                • Opcode Fuzzy Hash: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                • Opcode Fuzzy Hash: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                • Opcode Fuzzy Hash: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                Function 00415B25 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$,aF$NG
                                • API String ID: 180926312-2771706352
                                • Opcode ID: 97f6934a460d4030c64ae9dada3ae47825ea3d9e99520bd22a9bf9ee1c3390b4
                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                • Opcode Fuzzy Hash: 97f6934a460d4030c64ae9dada3ae47825ea3d9e99520bd22a9bf9ee1c3390b4
                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
                                • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                • String ID: PkGNG
                                • API String ID: 3360349984-263838557
                                • Opcode ID: fd9625d3d3dd930e6efe510565c92d19d8a09afb7a611057408a21d48d515413
                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                • Opcode Fuzzy Hash: fd9625d3d3dd930e6efe510565c92d19d8a09afb7a611057408a21d48d515413
                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                • wsprintfW.USER32 ref: 0040B22E
                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: b45b6875fc649f646024bcd7cf63ec16737c2aeab7510bdc58c22b152b8dfd6b
                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                • Opcode Fuzzy Hash: b45b6875fc649f646024bcd7cf63ec16737c2aeab7510bdc58c22b152b8dfd6b
                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: XQG
                                • API String ID: 1958988193-3606453820
                                • Opcode ID: d6ef6c45787fb92e5c60d55e281e71fdec3153d0b7ddf81c3844b29d7b306009
                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                • Opcode Fuzzy Hash: d6ef6c45787fb92e5c60d55e281e71fdec3153d0b7ddf81c3844b29d7b306009
                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                • GetLastError.KERNEL32 ref: 0041D611
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                Strings
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                • SetEvent.KERNEL32(?), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                • CloseHandle.KERNEL32(?), ref: 00405140
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: 5f844ff6b6fc0bb967d4da060d76b4d02bcb8b38bb6a94136aac1dbe49d058d6
                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                • Opcode Fuzzy Hash: 5f844ff6b6fc0bb967d4da060d76b4d02bcb8b38bb6a94136aac1dbe49d058d6
                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                • String ID: Alarm triggered
                                • API String ID: 614609389-2816303416
                                • Opcode ID: 7188bb29afe99ed737fa2488fa92c72a53281f38882f129766295ba366a65c2c
                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                • Opcode Fuzzy Hash: 7188bb29afe99ed737fa2488fa92c72a53281f38882f129766295ba366a65c2c
                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                Strings
                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                • API String ID: 3024135584-2418719853
                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                • _free.LIBCMT ref: 0044943D
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00449609
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                  • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: 63ca0a1071f02f89b39ecf7a0678f03bda3262e6af5cc964393e12aa6dae80bc
                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                • Opcode Fuzzy Hash: 63ca0a1071f02f89b39ecf7a0678f03bda3262e6af5cc964393e12aa6dae80bc
                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                  • Part of subcall function 004461B8: HeapAlloc.KERNEL32(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                • _free.LIBCMT ref: 0044F43F
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                • String ID:
                                • API String ID: 2278895681-0
                                • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID:
                                • API String ID: 1852769593-0
                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                • _free.LIBCMT ref: 00448353
                                • _free.LIBCMT ref: 0044837A
                                • SetLastError.KERNEL32(00000000), ref: 00448387
                                • SetLastError.KERNEL32(00000000), ref: 00448390
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00450A54
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00450A66
                                • _free.LIBCMT ref: 00450A78
                                • _free.LIBCMT ref: 00450A8A
                                • _free.LIBCMT ref: 00450A9C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0044E7B8
                                • _free.LIBCMT ref: 0044E8D5
                                  • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,?,?,?,?,?,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                  • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                                  • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                • String ID: XQG$NG$PG
                                • API String ID: 1634807452-3565412412
                                • Opcode ID: e4a9d5c560b69fd78b4aefd9c555e9a05f5e8dfaddfa74acecea5ef8592acc29
                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                • Opcode Fuzzy Hash: e4a9d5c560b69fd78b4aefd9c555e9a05f5e8dfaddfa74acecea5ef8592acc29
                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00443515
                                • _free.LIBCMT ref: 004435E0
                                • _free.LIBCMT ref: 004435EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\Desktop\file.exe
                                • API String ID: 2506810119-4010620828
                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                • GetLastError.KERNEL32 ref: 0044B9B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                • String ID: PkGNG
                                • API String ID: 2456169464-263838557
                                • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: fe1dcbe43dd3634a87855b23991002f64a6e7fb6b5b63a54aa9eaae6f1d8b0cb
                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                • Opcode Fuzzy Hash: fe1dcbe43dd3634a87855b23991002f64a6e7fb6b5b63a54aa9eaae6f1d8b0cb
                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                Function 0044EFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                  • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                  • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                • _free.LIBCMT ref: 0044F050
                                • _free.LIBCMT ref: 0044F086
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast_abort
                                • String ID: x[h$x[h
                                • API String ID: 2991157371-3799312894
                                • Opcode ID: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                • Opcode Fuzzy Hash: e5cd2967445071e6bfe31aa1a48247ff35ff00e78bbd9f02ad68eb6c8bd53105
                                • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                • API String ID: 1881088180-1310280921
                                • Opcode ID: 73f637bbd48b1bf229094fefa832032d007dc839beb89d63076b170c08ac48f7
                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                • Opcode Fuzzy Hash: 73f637bbd48b1bf229094fefa832032d007dc839beb89d63076b170c08ac48f7
                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00416330
                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                  • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                  • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$okmode$PG
                                • API String ID: 3411444782-3370592832
                                • Opcode ID: ae53bb49b955ddfd9ba074638e44ae915bae7f1428e0d3fc489d48489e4b94a7
                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                • Opcode Fuzzy Hash: ae53bb49b955ddfd9ba074638e44ae915bae7f1428e0d3fc489d48489e4b94a7
                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 4c3ec1025f380f0846f8e1dc8bc4a2843c94f1a3baaeaf19e1a0ff68f190b872
                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                • Opcode Fuzzy Hash: 4c3ec1025f380f0846f8e1dc8bc4a2843c94f1a3baaeaf19e1a0ff68f190b872
                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: bc9d1e2df797dab518334d9674a311e448b3e3a06a0a38ddc3fca4162ebd7fce
                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                • Opcode Fuzzy Hash: bc9d1e2df797dab518334d9674a311e448b3e3a06a0a38ddc3fca4162ebd7fce
                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: c9dadc1da63af5f6e8376356dc394f03abfd93875fd3821fa0c6c3cb1e5cb8ec
                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                • Opcode Fuzzy Hash: c9dadc1da63af5f6e8376356dc394f03abfd93875fd3821fa0c6c3cb1e5cb8ec
                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTime$wsprintf
                                • String ID: Online Keylogger Started
                                • API String ID: 112202259-1258561607
                                • Opcode ID: bd734070be6d9fd3b2319cc8bc141e303554b7076250c8a214208a99cb0c267f
                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                • Opcode Fuzzy Hash: bd734070be6d9fd3b2319cc8bc141e303554b7076250c8a214208a99cb0c267f
                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                Function 0044BDEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(00000000,00000000,0040F3F6,?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE42
                                • GetLastError.KERNEL32(?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE4C
                                • __dosmaperr.LIBCMT ref: 0044BE77
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID: Pdi
                                • API String ID: 2583163307-2785181949
                                • Opcode ID: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                • Instruction ID: c640735ad7e51643fe6b0a0a71fefea3e0d0f945221813f090adf85c72c27ea1
                                • Opcode Fuzzy Hash: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                • Instruction Fuzzy Hash: AC01483260066866E624623858457BF6789CBC2739F35022FFE18872C3DF6CCC8181D9
                                Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                • API String ID: 481472006-3277280411
                                • Opcode ID: 6d65b35793c1f0ee1ca33c8ff48bd585d8f9b96005ee3902c82eeebd0cb3c058
                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                • Opcode Fuzzy Hash: 6d65b35793c1f0ee1ca33c8ff48bd585d8f9b96005ee3902c82eeebd0cb3c058
                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$EventLocalThreadTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 2532271599-1507639952
                                • Opcode ID: ed66be453417c099092d2c881b0bf4f778d424254e45a7ba9590b70ea61d3fea
                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                • Opcode Fuzzy Hash: ed66be453417c099092d2c881b0bf4f778d424254e45a7ba9590b70ea61d3fea
                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                • GetLastError.KERNEL32 ref: 0044C316
                                • __dosmaperr.LIBCMT ref: 0044C31D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastPointer__dosmaperr
                                • String ID: PkGNG
                                • API String ID: 2336955059-263838557
                                • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: 1208aa0f1ec4f625f2dd1105fdd9db146f5aac58113692a75bb52ce6743b9de6
                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                • Opcode Fuzzy Hash: 1208aa0f1ec4f625f2dd1105fdd9db146f5aac58113692a75bb52ce6743b9de6
                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: FormatFreeLocalMessage
                                • String ID: @J@$PkGNG
                                • API String ID: 1427518018-1416487119
                                • Opcode ID: 169e295061165c204340d448f50400884db8202b0d92508f4913cf451efee3b2
                                • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                • Opcode Fuzzy Hash: 169e295061165c204340d448f50400884db8202b0d92508f4913cf451efee3b2
                                • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                • String ID: bad locale name
                                • API String ID: 3628047217-1405518554
                                • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Control Panel\Desktop
                                • API String ID: 1818849710-27424756
                                • Opcode ID: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                • Opcode Fuzzy Hash: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                • SetForegroundWindow.USER32 ref: 00416CA8
                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                  • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                • String ID: !D@
                                • API String ID: 186401046-604454484
                                • Opcode ID: b3bf2abe11f2753584a36420ae4e649aa3d370534bfc6fae2faf3e21f9dcef6a
                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                • Opcode Fuzzy Hash: b3bf2abe11f2753584a36420ae4e649aa3d370534bfc6fae2faf3e21f9dcef6a
                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: c9d8b598d3fd4de2fef92b814dea4f819fb2a27baf8bb84222376f6534362272
                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                • Opcode Fuzzy Hash: c9d8b598d3fd4de2fef92b814dea4f819fb2a27baf8bb84222376f6534362272
                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 2a26057df4c02b1519bea9411a42989b6459d02b68d3bbb112ffcdb574c062b7
                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                • Opcode Fuzzy Hash: 2a26057df4c02b1519bea9411a42989b6459d02b68d3bbb112ffcdb574c062b7
                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                  • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                  • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: 8SG$exepath$xdF
                                • API String ID: 4119054056-3578471011
                                • Opcode ID: 7af087c9dbd06382a8b67455a26849064df6f45d73dc15ae608225e39718d2a5
                                • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                • Opcode Fuzzy Hash: 7af087c9dbd06382a8b67455a26849064df6f45d73dc15ae608225e39718d2a5
                                • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                Function 004187AA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: GdiplusStartupconnectsend
                                • String ID: ,aF$NG
                                • API String ID: 1957403310-2168067942
                                • Opcode ID: 6faaadbd3ead43c92726fa02e1435eb68f61b0cdfffa7847a1267ec095d6f1f8
                                • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                • Opcode Fuzzy Hash: 6faaadbd3ead43c92726fa02e1435eb68f61b0cdfffa7847a1267ec095d6f1f8
                                • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                • GetLastError.KERNEL32 ref: 00449FAB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide
                                • String ID: PkGNG
                                • API String ID: 203985260-263838557
                                • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                                • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                • Opcode Fuzzy Hash: f4d343ee3105d0ca7f694a1c3c1cd31302a14f8eac364085ad57c9062bbf9fd1
                                • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                • GetLastError.KERNEL32 ref: 0044B884
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                • GetLastError.KERNEL32 ref: 0044B796
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                                • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                • Opcode Fuzzy Hash: c5080055e3ee20b0f86b16816e754ddae04249a5e40f1d4050c67216b79272cb
                                • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 481472006-1507639952
                                • Opcode ID: 6a836f28e3d82f5956495b1ed0a609d29bb77af81d72085e220fa4010b761da1
                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                • Opcode Fuzzy Hash: 6a836f28e3d82f5956495b1ed0a609d29bb77af81d72085e220fa4010b761da1
                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 0041667B
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: dbdae685cffb112d4a3bb88a9cd457fc8865c886a06674729277bef016e57e85
                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                • Opcode Fuzzy Hash: dbdae685cffb112d4a3bb88a9cd457fc8865c886a06674729277bef016e57e85
                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: alarm.wav$hYG
                                • API String ID: 1174141254-2782910960
                                • Opcode ID: 5deaab9b6fa6feb18b2b183ffd6011baab72bcfad539331250a37a5e623a0336
                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                • Opcode Fuzzy Hash: 5deaab9b6fa6feb18b2b183ffd6011baab72bcfad539331250a37a5e623a0336
                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: f6bc9a4f1be241058c79678320ae9d5f7e84be69635fd5d7982f5d6ce4aad990
                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                • Opcode Fuzzy Hash: f6bc9a4f1be241058c79678320ae9d5f7e84be69635fd5d7982f5d6ce4aad990
                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String
                                • String ID: LCMapStringEx$PkGNG
                                • API String ID: 2568140703-1065776982
                                • Opcode ID: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                • Opcode Fuzzy Hash: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                Function 0044F0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • _abort.LIBCMT ref: 0044F129
                                • _free.LIBCMT ref: 0044F15D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_abort_free
                                • String ID: x[h
                                • API String ID: 289325740-3213200655
                                • Opcode ID: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                • Instruction ID: a8e40e627a719db10bf70d85eeadc0c4c2fb790701f4ec7f842983f146219858
                                • Opcode Fuzzy Hash: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                • Instruction Fuzzy Hash: 0501A1B1D01A21DBEB31AFA9D84265EB3A0BF04720B19012FE51463391CB386D46CBCE
                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(0068DDC0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                • waveInAddBuffer.WINMM(0068DDC0,00000020,?,00000000,00401A15), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: XMG
                                • API String ID: 2315374483-813777761
                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$kKD
                                • API String ID: 1901932003-3269126172
                                • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: 9fe9d666ba878709567c285a077e7f15fefad9f76c31adce4d0b5c56ad0fc058
                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                • Opcode Fuzzy Hash: 9fe9d666ba878709567c285a077e7f15fefad9f76c31adce4d0b5c56ad0fc058
                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: 7fe76ce5e74b6734e90fdc316d978e3baca63a3fac680c63f8e82e635a7855a4
                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                • Opcode Fuzzy Hash: 7fe76ce5e74b6734e90fdc316d978e3baca63a3fac680c63f8e82e635a7855a4
                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: 3dc950b97b66bec29fc707551646097b74ac4572deee221e6d7963595bb39165
                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                • Opcode Fuzzy Hash: 3dc950b97b66bec29fc707551646097b74ac4572deee221e6d7963595bb39165
                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B686
                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(00000000,?,00000000,0040B245,00000000), ref: 0040A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: fa93664948dcb0f020004388e922df39f0c15565708f89507acb73c0046c3751
                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                • Opcode Fuzzy Hash: fa93664948dcb0f020004388e922df39f0c15565708f89507acb73c0046c3751
                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                • API String ID: 2086374402-949981407
                                • Opcode ID: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                • Opcode Fuzzy Hash: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: 123f3005351d9319ab9640cf94be40b0b125891abe94fb4f7f64a0320ee6aa85
                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                • Opcode Fuzzy Hash: 123f3005351d9319ab9640cf94be40b0b125891abe94fb4f7f64a0320ee6aa85
                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___initconout.LIBCMT ref: 004555DB
                                  • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleCreateFileWrite___initconout
                                • String ID: PkGNG
                                • API String ID: 3087715906-263838557
                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: 533432bc897d172b5aee8caafc533d6d1d6dab6a7602291f4f1d8f3613ae2efb
                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                • Opcode Fuzzy Hash: 533432bc897d172b5aee8caafc533d6d1d6dab6a7602291f4f1d8f3613ae2efb
                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: 159be02b0246ebeb2c04e0d52e857dcc82740e44e8b6cb15f475d12a07aa0db8
                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                • Opcode Fuzzy Hash: 159be02b0246ebeb2c04e0d52e857dcc82740e44e8b6cb15f475d12a07aa0db8
                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,?,0040ACEE,0000005C,?,?,?,00000000), ref: 0040B8B1
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,0040ACEE,0000005C,?,?,?,00000000), ref: 0040B8DC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: xdF
                                • API String ID: 3325800564-999140092
                                • Opcode ID: 44949101e04cc8e71f0ce6f1645624d8809e8bbe998220da413487c1cb7b025a
                                • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                • Opcode Fuzzy Hash: 44949101e04cc8e71f0ce6f1645624d8809e8bbe998220da413487c1cb7b025a
                                • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                • GetLastError.KERNEL32 ref: 00440D85
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1254281723.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1254269116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254312533.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254332043.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1254359485.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                Execution Graph

                                Execution Coverage:1.5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:541
                                Total number of Limit Nodes:9
                                execution_graph 47117 684918 47118 684924 ___DestructExceptionObject 47117->47118 47144 684627 47118->47144 47120 68492b 47122 684954 47120->47122 47429 684a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47120->47429 47130 684993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47122->47130 47430 6942d2 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47122->47430 47124 68496d 47126 684973 ___DestructExceptionObject 47124->47126 47431 694276 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47124->47431 47127 6849f3 47155 684ba5 47127->47155 47130->47127 47432 693487 35 API calls 5 library calls 47130->47432 47137 684a15 47138 684a1f 47137->47138 47434 6934bf 28 API calls _abort 47137->47434 47140 684a28 47138->47140 47435 693462 28 API calls _abort 47138->47435 47436 68479e 13 API calls 2 library calls 47140->47436 47143 684a30 47143->47126 47145 684630 47144->47145 47437 684cb6 IsProcessorFeaturePresent 47145->47437 47147 68463c 47438 688fb1 10 API calls 4 library calls 47147->47438 47149 684641 47154 684645 47149->47154 47439 69415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47149->47439 47151 68464e 47152 68465c 47151->47152 47440 688fda 8 API calls 3 library calls 47151->47440 47152->47120 47154->47120 47441 686f10 47155->47441 47157 684bb8 GetStartupInfoW 47158 6849f9 47157->47158 47159 694223 47158->47159 47443 69f0d9 47159->47443 47161 684a02 47164 65ea00 47161->47164 47162 69422c 47162->47161 47447 696895 35 API calls 47162->47447 47449 66cbe1 LoadLibraryA GetProcAddress 47164->47449 47166 65ea1c GetModuleFileNameW 47454 65f3fe 47166->47454 47168 65ea38 47469 6520f6 47168->47469 47171 6520f6 28 API calls 47172 65ea56 47171->47172 47475 66beac 47172->47475 47176 65ea68 47501 651e8d 47176->47501 47178 65ea71 47179 65ea84 47178->47179 47180 65eace 47178->47180 47591 65fbee 116 API calls 47179->47591 47507 651e65 47180->47507 47183 65eade 47187 651e65 22 API calls 47183->47187 47184 65ea96 47185 651e65 22 API calls 47184->47185 47186 65eaa2 47185->47186 47592 660f72 36 API calls __EH_prolog 47186->47592 47188 65eafd 47187->47188 47512 65531e 47188->47512 47191 65eb0c 47517 656383 47191->47517 47192 65eab4 47593 65fb9f 77 API calls 47192->47593 47196 65eabd 47594 65f3eb 70 API calls 47196->47594 47203 651fd8 11 API calls 47205 65ef36 47203->47205 47204 651fd8 11 API calls 47206 65eb36 47204->47206 47433 693396 GetModuleHandleW 47205->47433 47207 651e65 22 API calls 47206->47207 47208 65eb3f 47207->47208 47534 651fc0 47208->47534 47210 65eb4a 47211 651e65 22 API calls 47210->47211 47212 65eb63 47211->47212 47213 651e65 22 API calls 47212->47213 47215 65eb7e 47213->47215 47214 65ebe9 47216 651e65 22 API calls 47214->47216 47215->47214 47538 656c59 47215->47538 47222 65ebf6 47216->47222 47218 65ebab 47219 651fe2 28 API calls 47218->47219 47220 65ebb7 47219->47220 47221 651fd8 11 API calls 47220->47221 47224 65ebc0 47221->47224 47223 65ec3d 47222->47223 47227 663584 3 API calls 47222->47227 47595 65d0a4 CreateMutexA GetLastError 47223->47595 47543 663584 RegOpenKeyExA 47224->47543 47226 65ec43 47337 65eac6 47226->47337 47596 66b354 34 API calls 47226->47596 47228 65ec21 47227->47228 47228->47223 47230 65ec27 47228->47230 47236 6639e4 30 API calls 47230->47236 47233 65ec5e 47235 65ecb1 47233->47235 47597 657751 RegOpenKeyExA RegQueryValueExA RegCloseKey 47233->47597 47234 65f38a 47546 6639e4 47234->47546 47238 651e65 22 API calls 47235->47238 47236->47223 47248 65ecba 47238->47248 47240 65ec79 47242 65ec87 47240->47242 47598 657773 30 API calls 47240->47598 47245 651e65 22 API calls 47242->47245 47250 65ec90 47245->47250 47246 66bcef 28 API calls 47255 65f3ba 47246->47255 47247 65ec82 47599 65729b 97 API calls 47247->47599 47249 65eccb 47248->47249 47601 657790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47248->47601 47253 651e65 22 API calls 47249->47253 47250->47235 47600 65729b 97 API calls 47250->47600 47254 65ecd4 47253->47254 47602 66bcef 47254->47602 47646 663a5e RegOpenKeyExW 47255->47646 47257 65ecdf 47606 651f13 28 API calls 47257->47606 47261 65ecea 47607 651f09 47261->47607 47263 651f09 11 API calls 47265 65f3d7 47263->47265 47267 651f09 11 API calls 47265->47267 47269 65f3e0 47267->47269 47268 651e65 22 API calls 47270 65ecfc 47268->47270 47649 65dd7d 27 API calls 47269->47649 47274 651e65 22 API calls 47270->47274 47272 65f3e5 47650 664f65 169 API calls _strftime 47272->47650 47276 65ed16 47274->47276 47277 651e65 22 API calls 47276->47277 47278 65ed30 47277->47278 47279 651e65 22 API calls 47278->47279 47280 65ed49 47279->47280 47281 65edb6 47280->47281 47282 651e65 22 API calls 47280->47282 47283 65edc5 47281->47283 47288 65ef41 ___scrt_fastfail 47281->47288 47286 65ed5e _wcslen 47282->47286 47284 651e65 22 API calls 47283->47284 47309 65ee45 ___scrt_fastfail 47283->47309 47285 65edd7 47284->47285 47287 651e65 22 API calls 47285->47287 47286->47281 47290 651e65 22 API calls 47286->47290 47289 65ede9 47287->47289 47615 663733 RegOpenKeyExA 47288->47615 47293 651e65 22 API calls 47289->47293 47291 65ed79 47290->47291 47294 651e65 22 API calls 47291->47294 47295 65edfb 47293->47295 47296 65ed8e 47294->47296 47298 651e65 22 API calls 47295->47298 47610 65da6f 32 API calls 47296->47610 47297 65ef8c 47299 651e65 22 API calls 47297->47299 47301 65ee24 47298->47301 47302 65efb1 47299->47302 47307 651e65 22 API calls 47301->47307 47618 652093 47302->47618 47303 65eda1 47611 651f13 28 API calls 47303->47611 47306 65edad 47310 651f09 11 API calls 47306->47310 47311 65ee35 47307->47311 47308 65efc3 47624 6637aa 14 API calls 47308->47624 47613 663982 31 API calls 47309->47613 47310->47281 47612 65ce34 46 API calls _wcslen 47311->47612 47315 65efd9 47317 651e65 22 API calls 47315->47317 47316 65eede ctype 47319 651e65 22 API calls 47316->47319 47318 65efe5 47317->47318 47625 68bb2c 39 API calls _strftime 47318->47625 47322 65eef5 47319->47322 47321 65eff2 47323 65f01f 47321->47323 47626 66ce2c 87 API calls ___scrt_fastfail 47321->47626 47322->47297 47324 651e65 22 API calls 47322->47324 47328 652093 28 API calls 47323->47328 47326 65ef12 47324->47326 47329 66bcef 28 API calls 47326->47329 47327 65f003 CreateThread 47327->47323 47805 66d4ee 10 API calls 47327->47805 47330 65f034 47328->47330 47331 65ef1e 47329->47331 47332 652093 28 API calls 47330->47332 47614 65f4af 106 API calls 47331->47614 47334 65f043 47332->47334 47627 66b580 79 API calls 47334->47627 47335 65ef23 47335->47297 47335->47337 47337->47203 47338 65f048 47339 651e65 22 API calls 47338->47339 47340 65f054 47339->47340 47341 651e65 22 API calls 47340->47341 47342 65f066 47341->47342 47343 651e65 22 API calls 47342->47343 47344 65f086 47343->47344 47628 68bb2c 39 API calls _strftime 47344->47628 47346 65f093 47347 651e65 22 API calls 47346->47347 47348 65f09e 47347->47348 47349 651e65 22 API calls 47348->47349 47350 65f0af 47349->47350 47351 651e65 22 API calls 47350->47351 47352 65f0c4 47351->47352 47353 651e65 22 API calls 47352->47353 47354 65f0d5 47353->47354 47355 65f0dc StrToIntA 47354->47355 47629 659e1f 171 API calls _wcslen 47355->47629 47357 65f0ee 47358 651e65 22 API calls 47357->47358 47359 65f0f7 47358->47359 47360 65f13c 47359->47360 47630 68455e 47359->47630 47363 651e65 22 API calls 47360->47363 47368 65f14c 47363->47368 47364 651e65 22 API calls 47365 65f11f 47364->47365 47366 65f126 CreateThread 47365->47366 47366->47360 47801 66a045 112 API calls 2 library calls 47366->47801 47367 65f194 47369 651e65 22 API calls 47367->47369 47368->47367 47370 68455e new 22 API calls 47368->47370 47375 65f19d 47369->47375 47371 65f161 47370->47371 47372 651e65 22 API calls 47371->47372 47373 65f173 47372->47373 47376 65f17a CreateThread 47373->47376 47374 65f207 47377 651e65 22 API calls 47374->47377 47375->47374 47378 651e65 22 API calls 47375->47378 47376->47367 47799 66a045 112 API calls 2 library calls 47376->47799 47381 65f210 47377->47381 47379 65f1b9 47378->47379 47382 651e65 22 API calls 47379->47382 47380 65f255 47641 66b69e 80 API calls 47380->47641 47381->47380 47384 651e65 22 API calls 47381->47384 47385 65f1ce 47382->47385 47387 65f225 47384->47387 47637 65da23 32 API calls 47385->47637 47386 65f25e 47642 651f13 28 API calls 47386->47642 47391 651e65 22 API calls 47387->47391 47390 65f269 47393 651f09 11 API calls 47390->47393 47394 65f23a 47391->47394 47392 65f1e1 47638 651f13 28 API calls 47392->47638 47396 65f272 CreateThread 47393->47396 47639 68bb2c 39 API calls _strftime 47394->47639 47399 65f293 CreateThread 47396->47399 47400 65f29f 47396->47400 47800 65f7e2 120 API calls 47396->47800 47398 65f1ed 47401 651f09 11 API calls 47398->47401 47399->47400 47802 662132 138 API calls 47399->47802 47402 65f2b4 47400->47402 47403 65f2a8 CreateThread 47400->47403 47405 65f1f6 CreateThread 47401->47405 47407 65f307 47402->47407 47409 652093 28 API calls 47402->47409 47403->47402 47803 662716 38 API calls ___scrt_fastfail 47403->47803 47405->47374 47804 651be9 49 API calls _strftime 47405->47804 47406 65f247 47640 65c19d 7 API calls 47406->47640 47644 66353a RegOpenKeyExA RegQueryValueExA RegCloseKey 47407->47644 47410 65f2d7 47409->47410 47643 6552fd 28 API calls 47410->47643 47413 65f31f 47413->47269 47417 66bcef 28 API calls 47413->47417 47419 65f338 47417->47419 47645 663656 31 API calls 47419->47645 47423 65f34e 47424 651f09 11 API calls 47423->47424 47427 65f359 47424->47427 47425 65f381 DeleteFileW 47426 65f388 47425->47426 47425->47427 47426->47246 47427->47425 47427->47426 47428 65f36f Sleep 47427->47428 47428->47427 47429->47120 47430->47124 47431->47130 47432->47127 47433->47137 47434->47138 47435->47140 47436->47143 47437->47147 47438->47149 47439->47151 47440->47154 47442 686f27 47441->47442 47442->47157 47442->47442 47444 69f0e2 47443->47444 47446 69f0eb 47443->47446 47448 69efd8 48 API calls 4 library calls 47444->47448 47446->47162 47447->47162 47448->47446 47450 66cc20 LoadLibraryA GetProcAddress 47449->47450 47451 66cc10 GetModuleHandleA GetProcAddress 47449->47451 47452 66cc49 44 API calls 47450->47452 47453 66cc39 LoadLibraryA GetProcAddress 47450->47453 47451->47450 47452->47166 47453->47452 47651 66b539 FindResourceA 47454->47651 47458 65f428 _Yarn 47661 6520b7 47458->47661 47461 651fe2 28 API calls 47462 65f44e 47461->47462 47463 651fd8 11 API calls 47462->47463 47464 65f457 47463->47464 47465 68bda0 _Yarn 21 API calls 47464->47465 47466 65f468 _Yarn 47465->47466 47667 656e13 47466->47667 47468 65f49b 47468->47168 47470 65210c 47469->47470 47471 6523ce 11 API calls 47470->47471 47472 652126 47471->47472 47473 652569 28 API calls 47472->47473 47474 652134 47473->47474 47474->47171 47721 6520df 47475->47721 47477 66bf2f 47478 651fd8 11 API calls 47477->47478 47479 66bf61 47478->47479 47481 651fd8 11 API calls 47479->47481 47480 66bf31 47727 6541a2 28 API calls 47480->47727 47484 66bf69 47481->47484 47486 651fd8 11 API calls 47484->47486 47485 66bf3d 47488 651fe2 28 API calls 47485->47488 47487 65ea5f 47486->47487 47497 65fb52 47487->47497 47490 66bf46 47488->47490 47489 651fe2 28 API calls 47496 66bebf 47489->47496 47491 651fd8 11 API calls 47490->47491 47493 66bf4e 47491->47493 47492 651fd8 11 API calls 47492->47496 47728 66cec5 28 API calls 47493->47728 47496->47477 47496->47480 47496->47489 47496->47492 47725 6541a2 28 API calls 47496->47725 47726 66cec5 28 API calls 47496->47726 47498 65fb5e 47497->47498 47500 65fb65 47497->47500 47729 652163 11 API calls 47498->47729 47500->47176 47502 652163 47501->47502 47506 65219f 47502->47506 47730 652730 11 API calls 47502->47730 47504 652184 47731 652712 11 API calls std::_Deallocate 47504->47731 47506->47178 47508 651e6d 47507->47508 47510 651e75 47508->47510 47732 652158 22 API calls 47508->47732 47510->47183 47513 6520df 11 API calls 47512->47513 47514 65532a 47513->47514 47733 6532a0 47514->47733 47516 655346 47516->47191 47737 6551ef 47517->47737 47519 656391 47741 652055 47519->47741 47522 651fe2 47523 651ff1 47522->47523 47524 652039 47522->47524 47525 6523ce 11 API calls 47523->47525 47531 651fd8 47524->47531 47526 651ffa 47525->47526 47527 65203c 47526->47527 47529 652015 47526->47529 47528 65267a 11 API calls 47527->47528 47528->47524 47756 653098 28 API calls 47529->47756 47532 6523ce 11 API calls 47531->47532 47533 651fe1 47532->47533 47533->47204 47535 651fd2 47534->47535 47536 651fc9 47534->47536 47535->47210 47757 6525e0 28 API calls 47536->47757 47539 6520df 11 API calls 47538->47539 47540 656c65 47539->47540 47541 6532a0 28 API calls 47540->47541 47542 656c82 47541->47542 47542->47218 47544 6635ae RegQueryValueExA RegCloseKey 47543->47544 47545 65ebdf 47543->47545 47544->47545 47545->47214 47545->47234 47547 652093 28 API calls 47546->47547 47548 6639f9 47547->47548 47549 652093 28 API calls 47548->47549 47550 663a02 47549->47550 47551 66bcef 28 API calls 47550->47551 47552 663a0d 47551->47552 47553 66bcef 28 API calls 47552->47553 47554 663a20 47553->47554 47555 663a5e 2 API calls 47554->47555 47556 663a33 47555->47556 47557 651f09 11 API calls 47556->47557 47558 663a3e 47557->47558 47559 651f09 11 API calls 47558->47559 47560 663a46 47559->47560 47561 651fd8 11 API calls 47560->47561 47562 663a4e 47561->47562 47563 651fd8 11 API calls 47562->47563 47564 65f3a0 47563->47564 47565 6624b0 47564->47565 47758 651fab 47565->47758 47567 6624c9 CreateMutexA 47569 6624e1 47567->47569 47572 6624d9 47567->47572 47568 6624db ExitProcess 47570 663733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47569->47570 47571 66251a 47570->47571 47571->47572 47573 6520df 11 API calls 47571->47573 47572->47568 47574 66252c 47573->47574 47575 66c516 32 API calls 47574->47575 47576 66253a 47575->47576 47576->47568 47577 66253f CreateFileW OpenProcess WaitForSingleObject CloseHandle GetCurrentProcessId 47576->47577 47578 651fab 47577->47578 47579 66258f 47578->47579 47580 6638b2 RegCreateKeyA RegSetValueExA RegCloseKey 47579->47580 47584 662596 ___scrt_fastfail 47580->47584 47581 6625a6 PathFileExistsW 47582 662671 ShellExecuteW 47581->47582 47581->47584 47582->47584 47583 663584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47583->47584 47584->47572 47584->47581 47584->47582 47584->47583 47585 6626b8 Sleep 47584->47585 47586 662601 GetTempPathW GetTempFileNameW lstrcatW 47584->47586 47587 6626c7 OpenProcess WaitForSingleObject CloseHandle GetCurrentProcessId 47584->47587 47588 6639e4 30 API calls 47584->47588 47589 6638b2 RegCreateKeyA RegSetValueExA RegCloseKey 47584->47589 47590 66c482 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 47584->47590 47585->47584 47586->47584 47587->47584 47588->47584 47589->47584 47590->47584 47591->47184 47592->47192 47593->47196 47595->47226 47596->47233 47597->47240 47598->47247 47599->47242 47600->47235 47601->47249 47603 66bd03 47602->47603 47759 65b93f 47603->47759 47605 66bd0b 47605->47257 47606->47261 47608 652252 11 API calls 47607->47608 47609 651f12 47608->47609 47609->47268 47610->47303 47611->47306 47612->47309 47613->47316 47614->47335 47616 663759 RegQueryValueExA RegCloseKey 47615->47616 47617 66377d 47615->47617 47616->47617 47617->47297 47619 65209b 47618->47619 47620 6523ce 11 API calls 47619->47620 47621 6520a6 47620->47621 47791 6524ed 47621->47791 47624->47315 47625->47321 47626->47327 47627->47338 47628->47346 47629->47357 47636 684563 47630->47636 47631 68bda0 _Yarn 21 API calls 47631->47636 47632 65f10c 47632->47364 47636->47631 47636->47632 47795 693001 7 API calls 2 library calls 47636->47795 47796 684c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47636->47796 47797 6852fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47636->47797 47637->47392 47638->47398 47639->47406 47640->47380 47641->47386 47642->47390 47644->47413 47645->47423 47647 65f3cd 47646->47647 47648 663a7a RegDeleteValueW 47646->47648 47647->47263 47648->47647 47649->47272 47798 66ada8 105 API calls 47650->47798 47652 66b556 LoadResource LockResource SizeofResource 47651->47652 47653 65f419 47651->47653 47652->47653 47654 68bda0 47653->47654 47659 6961b8 __Getctype 47654->47659 47655 6961f6 47671 69062d 20 API calls _free 47655->47671 47657 6961e1 RtlAllocateHeap 47658 6961f4 47657->47658 47657->47659 47658->47458 47659->47655 47659->47657 47670 693001 7 API calls 2 library calls 47659->47670 47662 6520bf 47661->47662 47672 6523ce 47662->47672 47664 6520ca 47676 65250a 47664->47676 47666 6520d9 47666->47461 47668 6520b7 28 API calls 47667->47668 47669 656e27 47668->47669 47669->47468 47670->47659 47671->47658 47673 652428 47672->47673 47674 6523d8 47672->47674 47673->47664 47674->47673 47683 6527a7 11 API calls std::_Deallocate 47674->47683 47677 65251a 47676->47677 47678 652535 47677->47678 47679 652520 47677->47679 47694 6528e8 47678->47694 47684 652569 47679->47684 47682 652533 47682->47666 47683->47673 47705 652888 47684->47705 47686 65257d 47687 6525a7 47686->47687 47688 652592 47686->47688 47690 6528e8 28 API calls 47687->47690 47710 652a34 22 API calls 47688->47710 47693 6525a5 47690->47693 47691 65259b 47711 6529da 22 API calls 47691->47711 47693->47682 47695 6528f1 47694->47695 47696 652953 47695->47696 47697 6528fb 47695->47697 47719 6528a4 22 API calls 47696->47719 47700 652904 47697->47700 47703 652917 47697->47703 47713 652cae 47700->47713 47702 652915 47702->47682 47703->47702 47704 6523ce 11 API calls 47703->47704 47704->47702 47706 652890 47705->47706 47707 652898 47706->47707 47712 652ca3 22 API calls 47706->47712 47707->47686 47710->47691 47711->47693 47714 652cb8 __EH_prolog 47713->47714 47720 652e54 22 API calls 47714->47720 47716 6523ce 11 API calls 47718 652d92 47716->47718 47717 652d24 47717->47716 47718->47702 47720->47717 47722 6520e7 47721->47722 47723 6523ce 11 API calls 47722->47723 47724 6520f2 47723->47724 47724->47496 47725->47496 47726->47496 47727->47485 47728->47477 47729->47500 47730->47504 47731->47506 47734 6532aa 47733->47734 47735 6528e8 28 API calls 47734->47735 47736 6532c9 47734->47736 47735->47736 47736->47516 47738 6551fb 47737->47738 47747 655274 47738->47747 47740 655208 47740->47519 47742 652061 47741->47742 47743 6523ce 11 API calls 47742->47743 47744 65207b 47743->47744 47752 65267a 47744->47752 47748 655282 47747->47748 47751 6528a4 22 API calls 47748->47751 47753 65268b 47752->47753 47754 6523ce 11 API calls 47753->47754 47755 65208d 47754->47755 47755->47522 47756->47524 47757->47535 47760 65b947 47759->47760 47765 652252 47760->47765 47762 65b952 47769 65b967 47762->47769 47764 65b961 47764->47605 47766 6522ac 47765->47766 47767 65225c 47765->47767 47766->47762 47767->47766 47776 652779 11 API calls std::_Deallocate 47767->47776 47770 65b9a1 47769->47770 47771 65b973 47769->47771 47788 6528a4 22 API calls 47770->47788 47777 6527e6 47771->47777 47775 65b97d 47775->47764 47776->47766 47778 6527ef 47777->47778 47779 652851 47778->47779 47780 6527f9 47778->47780 47790 6528a4 22 API calls 47779->47790 47783 652815 47780->47783 47784 652802 47780->47784 47785 652813 47783->47785 47787 652252 11 API calls 47783->47787 47789 652aea 28 API calls __EH_prolog 47784->47789 47785->47775 47787->47785 47789->47785 47792 6524f9 47791->47792 47793 65250a 28 API calls 47792->47793 47794 6520b1 47793->47794 47794->47308 47795->47636 47806 662829 61 API calls 47802->47806 47807 65165e 47808 651666 47807->47808 47809 651669 47807->47809 47810 6516a8 47809->47810 47812 651696 47809->47812 47811 68455e new 22 API calls 47810->47811 47814 65169c 47811->47814 47813 68455e new 22 API calls 47812->47813 47813->47814

                                Executed Functions

                                Function 0066CBE1 Relevance: 150.7, APIs: 52, Strings: 34, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0065EA1C), ref: 0066CBF6
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CBFF
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0065EA1C), ref: 0066CC16
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CC19
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0065EA1C), ref: 0066CC2B
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CC2E
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0065EA1C), ref: 0066CC3F
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CC42
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0065EA1C), ref: 0066CC54
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CC57
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0065EA1C), ref: 0066CC63
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CC66
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0065EA1C), ref: 0066CC77
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CC7A
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0065EA1C), ref: 0066CC8B
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CC8E
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0065EA1C), ref: 0066CC9F
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CCA2
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0065EA1C), ref: 0066CCB3
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CCB6
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0065EA1C), ref: 0066CCC7
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CCCA
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0065EA1C), ref: 0066CCDB
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CCDE
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0065EA1C), ref: 0066CCEF
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CCF2
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0065EA1C), ref: 0066CD03
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD06
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0065EA1C), ref: 0066CD14
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD17
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0065EA1C), ref: 0066CD28
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD2B
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0065EA1C), ref: 0066CD38
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD3B
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0065EA1C), ref: 0066CD48
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD4B
                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0065EA1C), ref: 0066CD5D
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD60
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0065EA1C), ref: 0066CD6D
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD70
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0065EA1C), ref: 0066CD81
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD84
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0065EA1C), ref: 0066CD95
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CD98
                                • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0065EA1C), ref: 0066CDAA
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CDAD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0065EA1C), ref: 0066CDBA
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CDBD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0065EA1C), ref: 0066CDCA
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CDCD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0065EA1C), ref: 0066CDDA
                                • GetProcAddress.KERNEL32(00000000), ref: 0066CDDD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32$w$p z$p
                                • API String ID: 4236061018-1783977996
                                • Opcode ID: 73a4f228f70b9cb82e81fc4325817ca0eba22b4151b225d2048a240025b7c255
                                • Instruction ID: 0f7ea49a12fe609d4234378c570f625d4b1ab4c08deb6f39884d88275760bb77
                                • Opcode Fuzzy Hash: 73a4f228f70b9cb82e81fc4325817ca0eba22b4151b225d2048a240025b7c255
                                • Instruction Fuzzy Hash: 8141C1E4E803587ADB20BBF65D5DDAB3E6EDD517B43421826B008D7150DEB8DA80CFA4
                                Function 0065EA00 Relevance: 53.3, APIs: 14, Strings: 16, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 65ea00-65ea82 call 66cbe1 GetModuleFileNameW call 65f3fe call 6520f6 * 2 call 66beac call 65fb52 call 651e8d call 68fd50 22 65ea84-65eac9 call 65fbee call 651e65 call 651fab call 660f72 call 65fb9f call 65f3eb 5->22 23 65eace-65eb96 call 651e65 call 651fab call 651e65 call 65531e call 656383 call 651fe2 call 651fd8 * 2 call 651e65 call 651fc0 call 655aa6 call 651e65 call 6551e3 call 651e65 call 6551e3 5->23 49 65ef2d-65ef3e call 651fd8 22->49 69 65ebe9-65ec04 call 651e65 call 65b9f8 23->69 70 65eb98-65ebe3 call 656c59 call 651fe2 call 651fd8 call 651fab call 663584 23->70 80 65ec06-65ec25 call 651fab call 663584 69->80 81 65ec3e-65ec45 call 65d0a4 69->81 70->69 102 65f38a-65f3a5 call 651fab call 6639e4 call 6624b0 70->102 80->81 97 65ec27-65ec3d call 651fab call 6639e4 80->97 90 65ec47-65ec49 81->90 91 65ec4e-65ec55 81->91 94 65ef2c 90->94 95 65ec57 91->95 96 65ec59-65ec65 call 66b354 91->96 94->49 95->96 103 65ec67-65ec69 96->103 104 65ec6e-65ec72 96->104 97->81 126 65f3aa-65f3db call 66bcef call 651f04 call 663a5e call 651f09 * 2 102->126 103->104 107 65ec74-65ec7b call 657751 104->107 108 65ecb1-65ecc4 call 651e65 call 651fab 104->108 119 65ec87-65ec9a call 651e65 call 651fab 107->119 120 65ec7d-65ec82 call 657773 call 65729b 107->120 129 65ecc6 call 657790 108->129 130 65eccb-65ed53 call 651e65 call 66bcef call 651f13 call 651f09 call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab 108->130 119->108 140 65ec9c-65eca2 119->140 120->119 157 65f3e0-65f3ea call 65dd7d call 664f65 126->157 129->130 177 65ed55-65ed6e call 651e65 call 651fab call 68bb56 130->177 178 65edbb-65edbf 130->178 140->108 144 65eca4-65ecaa 140->144 144->108 147 65ecac call 65729b 144->147 147->108 177->178 205 65ed70-65edb6 call 651e65 call 651fab call 651e65 call 651fab call 65da6f call 651f13 call 651f09 177->205 180 65edc5-65edcc 178->180 181 65ef41-65efa1 call 686f10 call 65247c call 651fab * 2 call 663733 call 659092 178->181 184 65edce-65ee48 call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab call 65ce34 180->184 185 65ee4a-65ee54 call 659092 180->185 236 65efa6-65effa call 651e65 call 651fab call 652093 call 651fab call 6637aa call 651e65 call 651fab call 68bb2c 181->236 191 65ee59-65ee7d call 65247c call 684829 184->191 185->191 212 65ee8c 191->212 213 65ee7f-65ee8a call 686f10 191->213 205->178 218 65ee8e-65ef03 call 651f04 call 68f859 call 65247c call 651fab call 65247c call 651fab call 663982 call 684832 call 651e65 call 65b9f8 212->218 213->218 218->236 286 65ef09-65ef28 call 651e65 call 66bcef call 65f4af 218->286 287 65f017-65f019 236->287 288 65effc 236->288 286->236 306 65ef2a 286->306 289 65f01f 287->289 290 65f01b-65f01d 287->290 292 65effe-65f015 call 66ce2c CreateThread 288->292 294 65f025-65f101 call 652093 * 2 call 66b580 call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab call 68bb2c call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab call 651e65 call 651fab StrToIntA call 659e1f call 651e65 call 651fab 289->294 290->292 292->294 344 65f103-65f13a call 68455e call 651e65 call 651fab CreateThread 294->344 345 65f13c 294->345 306->94 347 65f13e-65f156 call 651e65 call 651fab 344->347 345->347 357 65f194-65f1a7 call 651e65 call 651fab 347->357 358 65f158-65f18f call 68455e call 651e65 call 651fab CreateThread 347->358 368 65f207-65f21a call 651e65 call 651fab 357->368 369 65f1a9-65f202 call 651e65 call 651fab call 651e65 call 651fab call 65da23 call 651f13 call 651f09 CreateThread 357->369 358->357 379 65f255-65f279 call 66b69e call 651f13 call 651f09 368->379 380 65f21c-65f250 call 651e65 call 651fab call 651e65 call 651fab call 68bb2c call 65c19d 368->380 369->368 400 65f27e-65f291 CreateThread 379->400 401 65f27b 379->401 380->379 404 65f293-65f29d CreateThread 400->404 405 65f29f-65f2a6 400->405 401->400 404->405 408 65f2b4-65f2bb 405->408 409 65f2a8-65f2b2 CreateThread 405->409 412 65f2bd-65f2c0 408->412 413 65f2c9 408->413 409->408 415 65f307-65f322 call 651fab call 66353a 412->415 416 65f2c2-65f2c7 412->416 418 65f2ce-65f302 call 652093 call 6552fd call 652093 call 66b580 call 651fd8 413->418 415->157 427 65f328-65f368 call 66bcef call 651f04 call 663656 call 651f09 call 651f04 415->427 416->418 418->415 443 65f381-65f386 DeleteFileW 427->443 444 65f388 443->444 445 65f36a-65f36d 443->445 444->126 445->126 446 65f36f-65f37c Sleep call 651f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0066CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0065EA1C), ref: 0066CBF6
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CBFF
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0065EA1C), ref: 0066CC16
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CC19
                                  • Part of subcall function 0066CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0065EA1C), ref: 0066CC2B
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CC2E
                                  • Part of subcall function 0066CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0065EA1C), ref: 0066CC3F
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CC42
                                  • Part of subcall function 0066CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0065EA1C), ref: 0066CC54
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CC57
                                  • Part of subcall function 0066CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0065EA1C), ref: 0066CC63
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CC66
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0065EA1C), ref: 0066CC77
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CC7A
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0065EA1C), ref: 0066CC8B
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CC8E
                                  • Part of subcall function 0066CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0065EA1C), ref: 0066CC9F
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CCA2
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0065EA1C), ref: 0066CCB3
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CCB6
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0065EA1C), ref: 0066CCC7
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CCCA
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0065EA1C), ref: 0066CCDB
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CCDE
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0065EA1C), ref: 0066CCEF
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CCF2
                                  • Part of subcall function 0066CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0065EA1C), ref: 0066CD03
                                  • Part of subcall function 0066CBE1: GetProcAddress.KERNEL32(00000000), ref: 0066CD06
                                  • Part of subcall function 0066CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0065EA1C), ref: 0066CD14
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\svchost.exe,00000104), ref: 0065EA29
                                  • Part of subcall function 00660F72: __EH_prolog.LIBCMT ref: 00660F77
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\svchost.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-HWAIZA$Rmc-HWAIZA-W$Software\$User$del$del$exepath$licence$license_code.txt
                                • API String ID: 2830904901-3338830372
                                • Opcode ID: 2e36bae400b75fb1995699af31f7450492a9ac43481a21172d93979f7aaf6873
                                • Instruction ID: af1a625d7cd9efec15c0fc013aa5b5f77b737fbd7d7612ad0e134566bf548674
                                • Opcode Fuzzy Hash: 2e36bae400b75fb1995699af31f7450492a9ac43481a21172d93979f7aaf6873
                                • Instruction Fuzzy Hash: DE32C560B043406BDB98BB709C67F7E26DB9F82742F44042DBD429F2C2DE699D4D8369
                                Function 006624B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,006C50E4,00000003), ref: 006624CF
                                • ExitProcess.KERNEL32(00000000), ref: 006624DB
                                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00662555
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00662564
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0066256F
                                • CloseHandle.KERNEL32(00000000), ref: 00662576
                                • GetCurrentProcessId.KERNEL32 ref: 0066257C
                                • PathFileExistsW.SHLWAPI(?), ref: 006625AD
                                • GetTempPathW.KERNEL32(00000104,?), ref: 00662610
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0066262A
                                • lstrcatW.KERNEL32(?,.exe), ref: 0066263C
                                  • Part of subcall function 0066C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0066C5A1,00000000,00000000,00000000), ref: 0066C4C1
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0066267C
                                • Sleep.KERNEL32(000001F4), ref: 006626BD
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 006626D2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 006626DD
                                • CloseHandle.KERNEL32(00000000), ref: 006626E4
                                • GetCurrentProcessId.KERNEL32 ref: 006626EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$Rmc-HWAIZA-W$WDH$exepath$open$temp_
                                • API String ID: 2649220323-1908802716
                                • Opcode ID: 7a928eadc698bc8ab97a08dd61c2cd88b889d52c862c7249abdf8955b002da92
                                • Instruction ID: 8510eceef6114331242271b1e161648ef7186dbf167de59aca0738ef53cb0d14
                                • Opcode Fuzzy Hash: 7a928eadc698bc8ab97a08dd61c2cd88b889d52c862c7249abdf8955b002da92
                                • Instruction Fuzzy Hash: 2551A171A006166BDF50B7A0DCA9FFE33BF9B05310F100159F902A7291DF74AE858B64
                                Function 0066C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 513 66c516-66c53a CreateFileW 514 66c540-66c571 GetFileSize call 65244e call 651fab ReadFile 513->514 515 66c53c-66c53e 513->515 521 66c575-66c57c CloseHandle 514->521 522 66c573 514->522 516 66c57e-66c582 515->516 521->516 522->521
                                APIs
                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0065412F,006B5E84), ref: 0066C52F
                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0065412F,006B5E84), ref: 0066C543
                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0065412F,006B5E84), ref: 0066C568
                                • CloseHandle.KERNEL32(00000000,?,00000000,0065412F,006B5E84), ref: 0066C576
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: 36b45ad49edea2c89056b4ff594cbd8f621c4a4670e263fd8ed9b1dfc7060332
                                • Instruction ID: 80b435ccfbcf563a95aedaa836ff1d108bf548db9683d69f6a91b5549d35d9a7
                                • Opcode Fuzzy Hash: 36b45ad49edea2c89056b4ff594cbd8f621c4a4670e263fd8ed9b1dfc7060332
                                • Instruction Fuzzy Hash: CAF090B12012087FE7102F24AD89FFB37AEDB877B5F20422EF942A22D0DA656D095571
                                Function 00663A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 523 663a5e-663a74 RegOpenKeyExW 524 663a76-663a78 523->524 525 663a7a-663a8a RegDeleteValueW 523->525 526 663a8c-663a8f 524->526 525->526
                                APIs
                                • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0065D509,00000000,?,00000000), ref: 00663A6C
                                • RegDeleteValueW.KERNELBASE(?,?,?,00000000), ref: 00663A80
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00663A6A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 732cd3070bb753ac5937ae428e67893ab805d45e2b70cbf7c0c681cd0f72e0dd
                                • Instruction ID: 828db84d3edd2c1597ac6ebebf1d74595d42b33ec565c2bd0f4ad566e4eb0191
                                • Opcode Fuzzy Hash: 732cd3070bb753ac5937ae428e67893ab805d45e2b70cbf7c0c681cd0f72e0dd
                                • Instruction Fuzzy Hash: 4AE01271644218BBDF105FB1DD06FFA7B6EDB02B41F204298BA0692291D672EA15AA70
                                Function 00663733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 527 663733-663757 RegOpenKeyExA 528 6637a3 527->528 529 663759-66377b RegQueryValueExA RegCloseKey 527->529 530 6637a5-6637a9 528->530 529->528 531 66377d-6637a1 call 656cf2 call 656d77 529->531 531->530
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000208), ref: 0066374F
                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00663768
                                • RegCloseKey.KERNELBASE(?), ref: 00663773
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 040b6a28c8b73265f5d9cbcd761f367f478ba221a2f75ddcc3684a5430a61f3e
                                • Instruction ID: 16a531965264bc23e3df3e3655ae5cd5c58582d10e393211052aa641456c9d20
                                • Opcode Fuzzy Hash: 040b6a28c8b73265f5d9cbcd761f367f478ba221a2f75ddcc3684a5430a61f3e
                                • Instruction Fuzzy Hash: E4011D7540012DBBDF216F91DC45DEB7F7AEF05390F004154BE0962120D7319A69DFA5
                                Function 00663584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 536 663584-6635ac RegOpenKeyExA 537 6635ae-6635d9 RegQueryValueExA RegCloseKey 536->537 538 6635db 536->538 539 6635dd-6635e0 537->539 538->539
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 006635A4
                                • RegQueryValueExA.KERNELBASE(00000000,?,00000000,?,?,?), ref: 006635C2
                                • RegCloseKey.KERNELBASE(00000000), ref: 006635CD
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: cd594fbe18a1c5c04b5807cdda5313efaf86abbefbbb6a16c6f2d22fcd12ec9e
                                • Instruction ID: a541cf65f317243722ffc8f96cc8d77e09a3d3e41366be594e02f32bcb40ae83
                                • Opcode Fuzzy Hash: cd594fbe18a1c5c04b5807cdda5313efaf86abbefbbb6a16c6f2d22fcd12ec9e
                                • Instruction Fuzzy Hash: 9CF01D76900218BFDF10AFA09C45FEE7BBDEF05750F208095BA05E6250D6715B549FA0
                                Function 0065165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 540 65165e-651664 541 651666-651668 540->541 542 651669-651674 540->542 543 651676 542->543 544 65167b-651685 542->544 543->544 545 651687-65168d 544->545 546 6516a8-6516af call 68455e 544->546 545->546 547 65168f-651694 545->547 552 6516b1-6516b3 546->552 547->543 549 651696-651697 call 68455e 547->549 553 65169c-6516a6 549->553 553->552
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                • Instruction ID: 99782ff2f86b5ee5c740056bcf83042c39963bb8090159381ce1c325f6d590a3
                                • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                • Instruction Fuzzy Hash: A2F027706042015ACB1C9B34C85077D37974B81323F248B6EF42BCE1D0CB30C999C709
                                Function 006961B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 554 6961b8-6961c4 555 6961f6-696201 call 69062d 554->555 556 6961c6-6961c8 554->556 563 696203-696205 555->563 558 6961ca-6961cb 556->558 559 6961e1-6961f2 RtlAllocateHeap 556->559 558->559 560 6961cd-6961d4 call 6955c6 559->560 561 6961f4 559->561 560->555 566 6961d6-6961df call 693001 560->566 561->563 566->555 566->559
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00685349,?,?,006888C7,?,?,00000000,006C6B50,?,0065DE9D,00685349,?,?,?,?), ref: 006961EA
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 36912e2715bfb28fe5e3e9200deed204310c18e3c5288b342049d440357598f1
                                • Instruction ID: f0e4b3e22af6e0cdb88a80e8b087e2f15d182dc3167af49f958ef484a72b62b7
                                • Opcode Fuzzy Hash: 36912e2715bfb28fe5e3e9200deed204310c18e3c5288b342049d440357598f1
                                • Instruction Fuzzy Hash: 97E0E531A0032256EF312B6DDD01BAB365FCB423E0F150130BD0596E92CF10DD0291E4

                                Non-executed Functions

                                Function 0065569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 006556E6
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                • __Init_thread_footer.LIBCMT ref: 00655723
                                • CreatePipe.KERNEL32(006C6CCC,006C6CB4,006C6BD8,00000000,006B60CC,00000000), ref: 006557B6
                                • CreatePipe.KERNEL32(006C6CB8,006C6CD4,006C6BD8,00000000), ref: 006557CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,006C6BE8,006C6CBC), ref: 0065583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00655897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006558BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 006558E9
                                  • Part of subcall function 00684801: __onexit.LIBCMT ref: 00684807
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,006C4F90,006B60D0,00000062,006B60B4), ref: 006559E4
                                • Sleep.KERNEL32(00000064,00000062,006B60B4), ref: 006559FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00655A17
                                • CloseHandle.KERNEL32 ref: 00655A23
                                • CloseHandle.KERNEL32 ref: 00655A2B
                                • CloseHandle.KERNEL32 ref: 00655A3D
                                • CloseHandle.KERNEL32 ref: 00655A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0ll$0ll$0ll$0ll$0ll$SystemDrive$cmd.exe$kl
                                • API String ID: 2994406822-1676974044
                                • Opcode ID: 9f741e580df92441982a4778e8794784925b52f4badbf7877c13112f82d589fe
                                • Instruction ID: 48567d9e1426585d3b6101cc75f6926341c5dbf46af12d10cea8f5e0998ee2ea
                                • Opcode Fuzzy Hash: 9f741e580df92441982a4778e8794784925b52f4badbf7877c13112f82d589fe
                                • Instruction Fuzzy Hash: B891C271644205AFC740FF25ECA5E7E3BABEB81705F00152DFC86972A2DE259C488B69
                                Function 00662132 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00662141
                                  • Part of subcall function 006638B2: RegCreateKeyA.ADVAPI32(80000001,00000000,006B60B4), ref: 006638C0
                                  • Part of subcall function 006638B2: RegSetValueExA.ADVAPI32(006B60B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0065C18D,006B6C58,00000001,000000AF,006B60B4), ref: 006638DB
                                  • Part of subcall function 006638B2: RegCloseKey.ADVAPI32(006B60B4,?,?,?,0065C18D,006B6C58,00000001,000000AF,006B60B4), ref: 006638E6
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00662181
                                • CloseHandle.KERNEL32(00000000), ref: 00662190
                                • CreateThread.KERNEL32(00000000,00000000,00662829,00000000,00000000,00000000), ref: 006621E6
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00662455
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Remcos restarted by watchdog!$Rmc-HWAIZA-W$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                • API String ID: 3018269243-704763658
                                • Opcode ID: fee661d72cec01265066e424334bf7019d6c572ae0d0cf0c9dffd1259afef1a7
                                • Instruction ID: 4e4da1201c77d97c6708394abaa07faacd5eaa457cf508448e4634338baf98b3
                                • Opcode Fuzzy Hash: fee661d72cec01265066e424334bf7019d6c572ae0d0cf0c9dffd1259afef1a7
                                • Instruction Fuzzy Hash: 0771A13150420257C758FB74DC679AEB7E7AF92711F40052DF843971D2EF20AA4DCAAA
                                Function 0065BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0065BBEA
                                • FindClose.KERNEL32(00000000), ref: 0065BC04
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0065BD27
                                • FindClose.KERNEL32(00000000), ref: 0065BD4D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: 9fd59fd1eaea1fc12ee1ecee06e5662d8741fa5e8d75ec8c84b22240a36d1ae0
                                • Instruction ID: d6d1f6a6015661dcefe20782bc928e3b00ad9ec02f576ad98cfc7207f5ac0af4
                                • Opcode Fuzzy Hash: 9fd59fd1eaea1fc12ee1ecee06e5662d8741fa5e8d75ec8c84b22240a36d1ae0
                                • Instruction Fuzzy Hash: 7E515D3191110A9BCB54FBB1EC56AEDB77BAF12312F50016DF806A70D2EF206A8DCB55
                                Function 006668FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 006668FD
                                • EmptyClipboard.USER32 ref: 0066690B
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0066692B
                                • GlobalLock.KERNEL32(00000000), ref: 00666934
                                • GlobalUnlock.KERNEL32(00000000), ref: 0066696A
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00666973
                                • CloseClipboard.USER32 ref: 00666990
                                • OpenClipboard.USER32 ref: 00666997
                                • GetClipboardData.USER32(0000000D), ref: 006669A7
                                • GlobalLock.KERNEL32(00000000), ref: 006669B0
                                • GlobalUnlock.KERNEL32(00000000), ref: 006669B9
                                • CloseClipboard.USER32 ref: 006669BF
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !De
                                • API String ID: 3520204547-1862527507
                                • Opcode ID: eeeec8dbd6aabf95911011ebf4512a6e45d10977fa41a308a49047dd4aaaf03c
                                • Instruction ID: 13d169b6037e2f71286be3e21231d1bbdbd177b798d98ae157853164fabb5c03
                                • Opcode Fuzzy Hash: eeeec8dbd6aabf95911011ebf4512a6e45d10977fa41a308a49047dd4aaaf03c
                                • Instruction Fuzzy Hash: BD2162722042016FCB54BB70EC5EABE76ABAF86702F54146DF902861D1EF3498498B36
                                Function 0066330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00663452
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00663460
                                • GetFileSize.KERNEL32(?,00000000), ref: 0066346D
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0066348D
                                • CloseHandle.KERNEL32(00000000), ref: 0066349A
                                • CloseHandle.KERNEL32(?), ref: 006634A0
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: 004396571ac0a80dd860fdaaeb82b6f17249c3a972e567b5773fd2c205f76689
                                • Instruction ID: 159ceb7455b1e7b85cd6123dbfb8e43f193c2cdf6562b7cf3194db7f7754618f
                                • Opcode Fuzzy Hash: 004396571ac0a80dd860fdaaeb82b6f17249c3a972e567b5773fd2c205f76689
                                • Instruction Fuzzy Hash: B741F031108251BBE711AB25EC49F6B7BEEEF86764F20061DF545E22A1DF30DA008B75
                                Function 00657538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 0065755C
                                • CoGetObject.OLE32(?,00000024,006B6528,00000000), ref: 006575BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: 142098082911de3e764d088be889f85448385cf966dee497b1c85979a420cdef
                                • Instruction ID: 231daf46da254ebda99b45fc6951b07c26c1e787cf58554f577b778b3d285762
                                • Opcode Fuzzy Hash: 142098082911de3e764d088be889f85448385cf966dee497b1c85979a420cdef
                                • Instruction Fuzzy Hash: BB11A9B2904218ABC710FBA4D845EDEB7FEDB08711F150069F804E3240EB749B488BA9
                                Function 0066A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,006C58E8), ref: 0066A7EF
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0066A83E
                                • GetLastError.KERNEL32 ref: 0066A84C
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0066A884
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: 7e698dca39f2d2b4e02f7424f4a1804da12057e74a011e9a01b2ddf427495df3
                                • Instruction ID: 3948bd6976c0e56f56624453ba7e18313f8f2c61e87c1e5e7350d8d31c32d8f3
                                • Opcode Fuzzy Hash: 7e698dca39f2d2b4e02f7424f4a1804da12057e74a011e9a01b2ddf427495df3
                                • Instruction Fuzzy Hash: B5819E71108300ABC354FB60D892EAFB7EABF95745F50081DF98696151EF30EA48CB96
                                Function 006A2690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00698295: GetLastError.KERNEL32(?,0068F770,0068A875,0068F770,006C4EF8,PklNl,0068CE65,FF8BC35D,006C4EF8,006C4EF8), ref: 00698299
                                  • Part of subcall function 00698295: _free.LIBCMT ref: 006982CC
                                  • Part of subcall function 00698295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0069830D
                                  • Part of subcall function 00698295: _abort.LIBCMT ref: 00698313
                                  • Part of subcall function 00698295: _free.LIBCMT ref: 006982F4
                                  • Part of subcall function 00698295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00698301
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 006A279C
                                • IsValidCodePage.KERNEL32(00000000), ref: 006A27F7
                                • IsValidLocale.KERNEL32(?,00000001), ref: 006A2806
                                • GetLocaleInfoW.KERNEL32(?,00001001,Ji,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 006A284E
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 006A286D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID: Ji$Ji$Ji
                                • API String ID: 745075371-3460596288
                                • Opcode ID: 6eb8422804545d5cc5338084046be368ae34cee258e21bf2e824bb6a4d860fa4
                                • Instruction ID: faf0f09fe7909a1ead5fd344e5888dfbed2bdc2ac523f8f5c948e61df0b3610d
                                • Opcode Fuzzy Hash: 6eb8422804545d5cc5338084046be368ae34cee258e21bf2e824bb6a4d860fa4
                                • Instruction Fuzzy Hash: 2B515171940206ABDB10FFA8CC55AFA77BAEF0A700F144169E915EB291D770DE44CFA1
                                Function 0065C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0065C3D6
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0065C4A9
                                • FindClose.KERNEL32(00000000), ref: 0065C4B8
                                • FindClose.KERNEL32(00000000), ref: 0065C4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: a0b39c51ca92453a32199dbfaf2cc1606f570a9b7bca43aec2c22d2d7d16713e
                                • Instruction ID: 2a65ea5db0ad1aa95fcc3eaf221a8cab71b8a1f1ed5743783f0e0d1c5d0d1efa
                                • Opcode Fuzzy Hash: a0b39c51ca92453a32199dbfaf2cc1606f570a9b7bca43aec2c22d2d7d16713e
                                • Instruction Fuzzy Hash: 1C3193319002199ACB24F760DC5AEFD77BBAF51722F00016DF806A61D1EF345A8ECB58
                                Function 0066C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,006C4EE0,?), ref: 0066C37D
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,006C4EE0,?), ref: 0066C3AD
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,006C4EE0,?), ref: 0066C41F
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,006C4EE0,?), ref: 0066C42C
                                  • Part of subcall function 0066C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,006C4EE0,?), ref: 0066C402
                                • GetLastError.KERNEL32(?,?,?,?,?,006C4EE0,?), ref: 0066C44D
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,006C4EE0,?), ref: 0066C463
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,006C4EE0,?), ref: 0066C46A
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,006C4EE0,?), ref: 0066C473
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 8f42e96dc7fa2440d0fb6cbbf45f72d15e5d5fc2ffc4998192c4bf80c7b8a8d6
                                • Instruction ID: de2b148ed1ff637d3ec725ce78f25c173cc8379aaa15ad4caa9ca9a66e9beefe
                                • Opcode Fuzzy Hash: 8f42e96dc7fa2440d0fb6cbbf45f72d15e5d5fc2ffc4998192c4bf80c7b8a8d6
                                • Instruction Fuzzy Hash: CA31827280021CAADB20E7A0DC5CFFA73BEAF45310F5405A9E595E2051EF35ABC48F64
                                Function 00664005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006640D8
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006640E4
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 006642A5
                                • GetProcAddress.KERNEL32(00000000), ref: 006642AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: bd88acde44119123d58a229d3047fed4b6a5344f51b091a68eeb92a9fe73a13c
                                • Instruction ID: 7a3dc6c34c44ea78a8dc6031109c36c9733be7ebac9e58e7a864dc2c08cef64e
                                • Opcode Fuzzy Hash: bd88acde44119123d58a229d3047fed4b6a5344f51b091a68eeb92a9fe73a13c
                                • Instruction Fuzzy Hash: 58B1F572A0420067CA58FB74DC67EAF36AB9F92741F40051CFD039B1D2EE259A4DC79A
                                Function 006667EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0066798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0066799A
                                  • Part of subcall function 0066798D: OpenProcessToken.ADVAPI32(00000000), ref: 006679A1
                                  • Part of subcall function 0066798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 006679B3
                                  • Part of subcall function 0066798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 006679D2
                                  • Part of subcall function 0066798D: GetLastError.KERNEL32 ref: 006679D8
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00666891
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 006668A6
                                • GetProcAddress.KERNEL32(00000000), ref: 006668AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !De$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-2270120417
                                • Opcode ID: c9778e8eb32940f2651fd64376c9017a8f97e8e1076f9349f1c826de73c4b4ae
                                • Instruction ID: ef30030749a2d92c66dbf77c675b7ab0122a894fc3c588ec3e4dac7613499995
                                • Opcode Fuzzy Hash: c9778e8eb32940f2651fd64376c9017a8f97e8e1076f9349f1c826de73c4b4ae
                                • Instruction Fuzzy Hash: A021856160430566CB94FBB4E86BABE279B9F42746F40082DB9025B2C2DF249D0EC739
                                Function 0065BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0065BA89
                                • GetLastError.KERNEL32 ref: 0065BA93
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0065BA54
                                • [Chrome StoredLogins found, cleared!], xrefs: 0065BAB9
                                • UserProfile, xrefs: 0065BA59
                                • [Chrome StoredLogins not found], xrefs: 0065BAAD
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 9a53689cac26dc157f97d95debfaf011e3b48f208ac9e82cbeef867ef7180191
                                • Instruction ID: e820c71c7bfecafb37743e7c6aa24cc63d5f7ee0080df3d72df4c26749f324fd
                                • Opcode Fuzzy Hash: 9a53689cac26dc157f97d95debfaf011e3b48f208ac9e82cbeef867ef7180191
                                • Instruction Fuzzy Hash: 54012631A8000A1A8B44B7B4DC679FD7727EE12702F40111DFC02532D2EE215A4DCBE2
                                Function 0066798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0066799A
                                • OpenProcessToken.ADVAPI32(00000000), ref: 006679A1
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 006679B3
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 006679D2
                                • GetLastError.KERNEL32 ref: 006679D8
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 2090a2391007a528647332bc17d67d06c9ef6859b8e8a2e50e71ed3fdc6150a8
                                • Instruction ID: bf0448b9250d68419381a87262b6b163948a37b9e571d1d75456f7931b660dbf
                                • Opcode Fuzzy Hash: 2090a2391007a528647332bc17d67d06c9ef6859b8e8a2e50e71ed3fdc6150a8
                                • Instruction Fuzzy Hash: B2F034B1802128BBDB10ABA5EC0DEEFBFBDEF46351F210058B905A1150D6346B04CFB1
                                Function 0065928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00659293
                                  • Part of subcall function 006548C8: connect.WS2_32(FFFFFFFF,?,?), ref: 006548E0
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0065932F
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0065938D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 006593E5
                                • FindClose.KERNEL32(00000000), ref: 006593FC
                                  • Part of subcall function 00654E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,006C4EF8,PklNl,00000000,006C4EF8,00654CA8,00000000,00000000,00000000,?,006C4EF8,?), ref: 00654E38
                                  • Part of subcall function 00654E26: SetEvent.KERNEL32(00000000), ref: 00654E43
                                  • Part of subcall function 00654E26: CloseHandle.KERNEL32(00000000), ref: 00654E4C
                                • FindClose.KERNEL32(00000000), ref: 006595F4
                                  • Part of subcall function 00654AA1: WaitForSingleObject.KERNEL32(?,00000000,00651A45,?,?,00000004,?,?,00000004,006C6B50,006C4EE0,00000000), ref: 00654B47
                                  • Part of subcall function 00654AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,006C6B50,006C4EE0,00000000,?,?,?,?,?,00651A45), ref: 00654B75
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: 9c261255c8853bb2703bc74242561ce72bd83d29c6aef9c65835860d4a977c2e
                                • Instruction ID: 3912a1ae3b8d632ef0a49bfd2a83d92661367f365b8c810cd7ccffc588293516
                                • Opcode Fuzzy Hash: 9c261255c8853bb2703bc74242561ce72bd83d29c6aef9c65835860d4a977c2e
                                • Instruction Fuzzy Hash: 24B15B729001099BCB54EBA0DD92AEDB3BAAF05312F50415DF906AB1D1EF309F4DCBA4
                                Function 00696270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: FSj$FSj$PklNl
                                • API String ID: 0-2936785011
                                • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                • Instruction ID: f351d77603d929281897ec02b11174d0622769d517f34ed1f7b75f5675f64b1b
                                • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                • Instruction Fuzzy Hash: 72022E71E002199BDF14CFA9C9906EDBBF6EF48314F25816AE819E7784D731AE41CB90
                                Function 0065F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00663584: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 006635A4
                                  • Part of subcall function 00663584: RegQueryValueExA.KERNELBASE(00000000,?,00000000,?,?,?), ref: 006635C2
                                  • Part of subcall function 00663584: RegCloseKey.KERNELBASE(00000000), ref: 006635CD
                                • Sleep.KERNEL32(00000BB8), ref: 0065F896
                                • ExitProcess.KERNEL32 ref: 0065F905
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 5.1.2 Pro$override$pth_unenc
                                • API String ID: 2281282204-3554326054
                                • Opcode ID: 2a044ab9b5abf5fbca28c40c8757169a41346253f3a4c93747b6f8be5bd37c5b
                                • Instruction ID: 6533381e74f53128ae144f1b6fd54e7115e5d06f231c577537e3ca98bf9ed677
                                • Opcode Fuzzy Hash: 2a044ab9b5abf5fbca28c40c8757169a41346253f3a4c93747b6f8be5bd37c5b
                                • Instruction Fuzzy Hash: A421FB61B1421067D68877748C97ABE39EB9BC2712F50042CFC065B3C7EE249F4987AB
                                Function 006A24BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,006A27DB,?,00000000), ref: 006A2555
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,006A27DB,?,00000000), ref: 006A257E
                                • GetACP.KERNEL32(?,?,006A27DB,?,00000000), ref: 006A2593
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: c963d99a8be28141c20aa6d217b65e2f9dac95b612858a4edb1adabac8b6286e
                                • Instruction ID: b4a7ff3112f76cc0514fc4d25e020baf80e8a094e673b3f290af72a93067bb29
                                • Opcode Fuzzy Hash: c963d99a8be28141c20aa6d217b65e2f9dac95b612858a4edb1adabac8b6286e
                                • Instruction Fuzzy Hash: 5A21D862E80107AAD734EF1CC930ADB73A7FB46B20B564424E909DB210E732DE41CF90
                                Function 006596A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 006596A5
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0065971D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00659746
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0065975D
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: 55373d7cd4b97c16a6f87545c704d8d5035872d0f080f0935be107648862fdbf
                                • Instruction ID: e5b27f5a2e99a086df783bebebc75496311354bd6adf44a7414e4fc3a33b01cf
                                • Opcode Fuzzy Hash: 55373d7cd4b97c16a6f87545c704d8d5035872d0f080f0935be107648862fdbf
                                • Instruction Fuzzy Hash: AA813032800119DBCB55EBA0DC92AEDB7BAAF15312F14416EE806A7191FF309F4DCB64
                                Function 00658847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0065884C
                                • FindFirstFileW.KERNEL32(00000000,?,006B6618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00658905
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0065892D
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0065893A
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00658A50
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID:
                                • API String ID: 1771804793-0
                                • Opcode ID: 6933338fac66dc862eb8d746c4723b707cb85d8ce9b6a72fec2b2342f0ae503f
                                • Instruction ID: 1ee2bc832276c015a9630010a941791c9c6364f7af8ef883c5175962da7ce0a8
                                • Opcode Fuzzy Hash: 6933338fac66dc862eb8d746c4723b707cb85d8ce9b6a72fec2b2342f0ae503f
                                • Instruction Fuzzy Hash: 3C518F72900209ABCF44FBA4DC56AED77BAAF11302F50015DBC0AA7192EF349B4DCB95
                                Function 0066CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0066CB68
                                  • Part of subcall function 006637AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,006B612C), ref: 006637B9
                                  • Part of subcall function 006637AA: RegSetValueExA.ADVAPI32(006B612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0066CB42,WallpaperStyle,006B612C,00000001,006C4EE0,00000000), ref: 006637E1
                                  • Part of subcall function 006637AA: RegCloseKey.ADVAPI32(006B612C,?,?,0066CB42,WallpaperStyle,006B612C,00000001,006C4EE0,00000000,?,00658798,00000001), ref: 006637EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: 87de19c35d2a3f1eee8500794eb22abb4486a6f7424955e76e19cb26115679f2
                                • Instruction ID: 5356d0e4677a3b62f3bbe5aff60d53838f7fa490f7ec553d135ac152a3524612
                                • Opcode Fuzzy Hash: 87de19c35d2a3f1eee8500794eb22abb4486a6f7424955e76e19cb26115679f2
                                • Instruction Fuzzy Hash: 9C116AA2BC065037E958317D8D2BFBE2D038343B71F85051CFA022A6CAD8C34B9543EA
                                Function 00693355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000003,PklNl,0069332B,00000003,006BE958,0000000C,00693482,00000003,00000002,00000000,PklNl,006961B7,00000003), ref: 00693376
                                • TerminateProcess.KERNEL32(00000000), ref: 0069337D
                                • ExitProcess.KERNEL32 ref: 0069338F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID: PklNl
                                • API String ID: 1703294689-3463370728
                                • Opcode ID: e8764e634db6d5af69eeb51ff14df4a5e9de8f7f4a0b9d5a5d69afc2fc331730
                                • Instruction ID: 0ec60db61517d1c80b43f86778a9a4d089e3d4f454c702fd6ae80967f81bf953
                                • Opcode Fuzzy Hash: e8764e634db6d5af69eeb51ff14df4a5e9de8f7f4a0b9d5a5d69afc2fc331730
                                • Instruction Fuzzy Hash: 0BE09235050158ABCF516B69DA09A983BAFAF41351B104018F8458BB62CB79AE42CA90
                                Function 006A201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00698295: GetLastError.KERNEL32(?,0068F770,0068A875,0068F770,006C4EF8,PklNl,0068CE65,FF8BC35D,006C4EF8,006C4EF8), ref: 00698299
                                  • Part of subcall function 00698295: _free.LIBCMT ref: 006982CC
                                  • Part of subcall function 00698295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0069830D
                                  • Part of subcall function 00698295: _abort.LIBCMT ref: 00698313
                                • EnumSystemLocalesW.KERNEL32(006A2143,00000001,00000000,?,Ji,?,006A2770,00000000,?,?,?), ref: 006A208D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: p'j$Ji
                                • API String ID: 1084509184-1242166605
                                • Opcode ID: 0b75dc189c37b2df4ccf88af44ec32fc938a78af201dcdf2849010247bec5538
                                • Instruction ID: 19f8d519ca7cc2968e7f14041e78694bda641f3aefc09ccbd152b48cedc9abed
                                • Opcode Fuzzy Hash: 0b75dc189c37b2df4ccf88af44ec32fc938a78af201dcdf2849010247bec5538
                                • Instruction Fuzzy Hash: FF11E9362447025FDB18AF39D8A16BAB793FF85358B15442CEA4687B40D7717D42CB50
                                Function 0066812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 762 66812a-668153 763 668157-6681be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 762->763 764 6681c4-6681cb 763->764 765 6684bb 763->765 764->765 766 6681d1-6681d8 764->766 767 6684bd-6684c7 765->767 766->765 768 6681de-6681e0 766->768 768->765 769 6681e6-668213 call 686f10 * 2 768->769 769->765 774 668219-668224 769->774 774->765 775 66822a-66825a CreateProcessW 774->775 776 6684b5 GetLastError 775->776 777 668260-668288 VirtualAlloc GetThreadContext 775->777 776->765 778 66828e-6682ae ReadProcessMemory 777->778 779 66847f-6684b3 VirtualFree GetCurrentProcess TerminateProcess 777->779 778->779 780 6682b4-6682d6 778->780 779->765 780->779 783 6682dc-6682e9 780->783 785 6682fc-66831e 783->785 786 6682eb-6682f2 783->786 788 668320-66835d VirtualFree TerminateProcess 785->788 789 668368-66838f GetCurrentProcess 785->789 786->785 788->763 793 668363 788->793 789->779 792 668395-668399 789->792 794 6683a2-6683c0 call 686990 792->794 795 66839b-66839f 792->795 793->765 798 668402-66840b 794->798 799 6683c2-6683d0 794->799 795->794 801 66840d-668413 798->801 802 66842b-66842f 798->802 800 6683d2-6683f5 call 686990 799->800 812 6683f7-6683fe 800->812 801->802 806 668415-668428 call 66853e 801->806 803 668454-66846b SetThreadContext 802->803 804 668431-66844e WriteProcessMemory 802->804 803->779 808 66846d-668479 ResumeThread 803->808 804->779 807 668450 804->807 806->802 807->803 808->779 811 66847b-66847d 808->811 811->767 812->798
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00668171
                                • GetProcAddress.KERNEL32(00000000), ref: 00668174
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00668185
                                • GetProcAddress.KERNEL32(00000000), ref: 00668188
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00668199
                                • GetProcAddress.KERNEL32(00000000), ref: 0066819C
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 006681AD
                                • GetProcAddress.KERNEL32(00000000), ref: 006681B0
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00668252
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0066826A
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00668280
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 006682A6
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00668328
                                • TerminateProcess.KERNEL32(?,00000000), ref: 0066833C
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0066837C
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00668446
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00668463
                                • ResumeThread.KERNEL32(?), ref: 00668470
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00668487
                                • GetCurrentProcess.KERNEL32(?), ref: 00668492
                                • TerminateProcess.KERNEL32(?,00000000), ref: 006684AD
                                • GetLastError.KERNEL32 ref: 006684B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: d8ab57c64a92777154d17d3f76688189032d007da172ac952b7b64b856072930
                                • Instruction ID: 82e6d796f4f6f7df8ce44761ad108fdc9089f6c41d37276eb5c17c86efd72bcb
                                • Opcode Fuzzy Hash: d8ab57c64a92777154d17d3f76688189032d007da172ac952b7b64b856072930
                                • Instruction Fuzzy Hash: 45A14AB0604302AFDB109F64DC85FAABBEAFF48744F101929FA85D7290DB74E944CB65
                                Function 0065D45B Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0066288B: TerminateProcess.KERNEL32(00000000,?,0065D84A), ref: 0066289B
                                  • Part of subcall function 0066288B: WaitForSingleObject.KERNEL32(000000FF,?,0065D84A), ref: 006628AE
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0065D558
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0065D56B
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0065D584
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0065D5B4
                                  • Part of subcall function 0065B8E7: TerminateThread.KERNEL32(0065A2B8,00000000,00000000,?,0065D47D,?,00000000), ref: 0065B8F6
                                  • Part of subcall function 0065B8E7: UnhookWindowsHookEx.USER32(006C50F0), ref: 0065B902
                                  • Part of subcall function 0065B8E7: TerminateThread.KERNEL32(0065A2A2,00000000,?,0065D47D,?,00000000), ref: 0065B910
                                  • Part of subcall function 0066C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0066C5A1,00000000,00000000,00000000), ref: 0066C4C1
                                • ShellExecuteW.SHELL32(00000000,open,00000000,006B6478,006B6478,00000000), ref: 0065D7FF
                                • ExitProcess.KERNEL32 ref: 0065D80B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$@qk$@qk$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                • API String ID: 1861856835-1276825788
                                • Opcode ID: 0ec6655a6010b428c397ceed683223a4bb3028e62635e57ca7503d28bfb91fb4
                                • Instruction ID: 5e2c5827c3d0546d304f3a40b99c1d446b448e171c505f443877e1f4c3a93709
                                • Opcode Fuzzy Hash: 0ec6655a6010b428c397ceed683223a4bb3028e62635e57ca7503d28bfb91fb4
                                • Instruction Fuzzy Hash: 4A9182711082405BC3A4FB24DC62AEF77EBAF95746F10042DB84A971E2EF209E4DC75A
                                Function 0066B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0066B1CD
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0066B1E1
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,006B60B4), ref: 0066B209
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,006C4EE0,00000000), ref: 0066B21F
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0066B260
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0066B278
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0066B28D
                                • SetEvent.KERNEL32 ref: 0066B2AA
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0066B2BB
                                • CloseHandle.KERNEL32 ref: 0066B2CB
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0066B2ED
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0066B2F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$Nl
                                • API String ID: 738084811-3496820153
                                • Opcode ID: 91e294b21bb0d357042cc8231be663e0768c92cb6ec410e6fe1e87587f0a059b
                                • Instruction ID: 86231172ad3f0f4b698e1fd3a5ba4d1d78f59579c8258d83b9a94fc22c983698
                                • Opcode Fuzzy Hash: 91e294b21bb0d357042cc8231be663e0768c92cb6ec410e6fe1e87587f0a059b
                                • Instruction Fuzzy Hash: E751D171284204AFE354FB70DCA2EBF779FEB82355F10101DF84696192EF205E49876A
                                Function 0065D0D1 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0066288B: TerminateProcess.KERNEL32(00000000,?,0065D84A), ref: 0066289B
                                  • Part of subcall function 0066288B: WaitForSingleObject.KERNEL32(000000FF,?,0065D84A), ref: 006628AE
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,006C52F0,?,pth_unenc), ref: 0065D1E0
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0065D1F3
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,006C52F0,?,pth_unenc), ref: 0065D223
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,006C52F0,?,pth_unenc), ref: 0065D232
                                  • Part of subcall function 0065B8E7: TerminateThread.KERNEL32(0065A2B8,00000000,00000000,?,0065D47D,?,00000000), ref: 0065B8F6
                                  • Part of subcall function 0065B8E7: UnhookWindowsHookEx.USER32(006C50F0), ref: 0065B902
                                  • Part of subcall function 0065B8E7: TerminateThread.KERNEL32(0065A2A2,00000000,?,0065D47D,?,00000000), ref: 0065B910
                                  • Part of subcall function 0066BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0065407C), ref: 0066BA30
                                • ShellExecuteW.SHELL32(00000000,open,00000000,006B6478,006B6478,00000000), ref: 0065D44D
                                • ExitProcess.KERNEL32 ref: 0065D454
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpk
                                • API String ID: 3797177996-949832881
                                • Opcode ID: b1571294005e8bfd3ebe8bcea23eb910d8178d0d0b1e588d9a2e798e8c2c8d89
                                • Instruction ID: 2440713c49054a93f0a2914d63e5701347c94e441ff0fa6274d32bc40f0eec96
                                • Opcode Fuzzy Hash: b1571294005e8bfd3ebe8bcea23eb910d8178d0d0b1e588d9a2e798e8c2c8d89
                                • Instruction Fuzzy Hash: 28816F716082405BC7A4FB20DC52AEF77EBAF91706F10042DB886972D2EF249E4DC75A
                                Function 00651A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00651AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00651B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00651B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00651B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00651B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00651B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00651B54
                                • WriteFile.KERNEL32(00000000,006C2AAA,00000002,00000000,00000000), ref: 00651B65
                                • WriteFile.KERNEL32(00000000,006C2AAC,00000004,00000000,00000000), ref: 00651B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00651B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00651B96
                                • WriteFile.KERNEL32(00000000,006C2AB6,00000002,00000000,00000000), ref: 00651BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00651BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00651BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: a5674e71598bf1aceec27e9f9c9f364d67c4c9333f40932621c365dcf472f009
                                • Instruction ID: 0985a087e8e5c697220008f27cfe90a72c0d02c087bfb767ade78d48ab2cf7e3
                                • Opcode Fuzzy Hash: a5674e71598bf1aceec27e9f9c9f364d67c4c9333f40932621c365dcf472f009
                                • Instruction Fuzzy Hash: 3E414C726442097AE310DA91DD86FBB7FEDEB85F50F41041AFA44D6080D7A0A909DBB3
                                Function 006572AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\svchost.exe,00000001,00657688,C:\Windows\SysWOW64\svchost.exe,00000003,006576B0,006C52D8,00657709), ref: 006572BF
                                • GetProcAddress.KERNEL32(00000000), ref: 006572C8
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 006572DD
                                • GetProcAddress.KERNEL32(00000000), ref: 006572E0
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 006572F1
                                • GetProcAddress.KERNEL32(00000000), ref: 006572F4
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00657305
                                • GetProcAddress.KERNEL32(00000000), ref: 00657308
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00657319
                                • GetProcAddress.KERNEL32(00000000), ref: 0065731C
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0065732D
                                • GetProcAddress.KERNEL32(00000000), ref: 00657330
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Windows\SysWOW64\svchost.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-2610085181
                                • Opcode ID: bde97ecec1e3ff2757764ebd26e97a394e49342ec33cd326d7efb1c725a56e42
                                • Instruction ID: a31ea9fa63db2948dbe762802fef203903567422487715defbb27ac949c1d9b9
                                • Opcode Fuzzy Hash: bde97ecec1e3ff2757764ebd26e97a394e49342ec33cd326d7efb1c725a56e42
                                • Instruction Fuzzy Hash: 82017CE1E443177A8B116B7EEC64DAB6E9F9E403517022827BC01E2252EEB8D940CF64
                                Function 0066C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0066C0C7
                                • _memcmp.LIBVCRUNTIME ref: 0066C0DF
                                • lstrlenW.KERNEL32(?), ref: 0066C0F8
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0066C133
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0066C146
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0066C18A
                                • lstrcmpW.KERNEL32(?,?), ref: 0066C1A5
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0066C1BD
                                • _wcslen.LIBCMT ref: 0066C1CC
                                • FindVolumeClose.KERNEL32(?), ref: 0066C1EC
                                • GetLastError.KERNEL32 ref: 0066C204
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0066C231
                                • lstrcatW.KERNEL32(?,?), ref: 0066C24A
                                • lstrcpyW.KERNEL32(?,?), ref: 0066C259
                                • GetLastError.KERNEL32 ref: 0066C261
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: cf49fc8c0cbcc8a85e81a4849c8d3231e397232097f4e48b15b87c75c30df059
                                • Instruction ID: dfb0e109dfb2ec0f481128748fb178cc2d40f42a9b9381a6523e0f63023052d6
                                • Opcode Fuzzy Hash: cf49fc8c0cbcc8a85e81a4849c8d3231e397232097f4e48b15b87c75c30df059
                                • Instruction Fuzzy Hash: B841A7715087069BD720EF64DC489EBB7EEEB89750F10092AF585C3161EB70DA49CBE2
                                Function 0069F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: b84d13da4f248e544692de35fca872bc41b08b0b5ebb205fb6c95a0737eaf4d4
                                • Instruction ID: 0070e75dc92f10e79adf86b0c020cf6b0e0f49ff9d4e1d59e56b6dfecde92f03
                                • Opcode Fuzzy Hash: b84d13da4f248e544692de35fca872bc41b08b0b5ebb205fb6c95a0737eaf4d4
                                • Instruction Fuzzy Hash: BBD104B1900301ABDF24AF78DC92ABA77EF9F01320B16417DF955DBB81EB7199018794
                                Function 0066C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0066C742
                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0066C786
                                • RegCloseKey.ADVAPI32(?), ref: 0066CA50
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                • API String ID: 1332880857-3714951968
                                • Opcode ID: cbb52d21f1f19e4f1c635b3a6e323367e1ee87a30f3e2c6d15d138e595737e28
                                • Instruction ID: a0a7930f5ce3a2ea37e4808ddde134636e187b446c7743f38457d6c2cd04809a
                                • Opcode Fuzzy Hash: cbb52d21f1f19e4f1c635b3a6e323367e1ee87a30f3e2c6d15d138e595737e28
                                • Instruction Fuzzy Hash: 90813E711083449BD364EB10D851EEFB7EABF95305F10492DB98A871A1FF30AA4DCB96
                                Function 0066D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0066D66B
                                • GetCursorPos.USER32(?), ref: 0066D67A
                                • SetForegroundWindow.USER32(?), ref: 0066D683
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0066D69D
                                • Shell_NotifyIconA.SHELL32(00000002,006C4B48), ref: 0066D6EE
                                • ExitProcess.KERNEL32 ref: 0066D6F6
                                • CreatePopupMenu.USER32 ref: 0066D6FC
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0066D711
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: 7e3e1f78d6b5d0f07891305d5e52cc3d99b7eef2bb537d7377d269b1ce2e42d0
                                • Instruction ID: 66473b0100d3f8949ca6843f6dd0e26985e5cdd7ceeb80985fc5abec3f082977
                                • Opcode Fuzzy Hash: 7e3e1f78d6b5d0f07891305d5e52cc3d99b7eef2bb537d7377d269b1ce2e42d0
                                • Instruction Fuzzy Hash: 9A21F371A00109AFDF15AFA4ED1EEA97F77EB09301F146114F606951B0DBB1AD21AB21
                                Function 006548C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 006548E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00654A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00654A0E
                                • WSAGetLastError.WS2_32 ref: 00654A21
                                  • Part of subcall function 0066B580: GetLocalTime.KERNEL32(00000000), ref: 0066B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$PklNl$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-1000945761
                                • Opcode ID: df31ce744ea3bd017dcd2538c7af44125d8d96a838a46014524ec7f20740b481
                                • Instruction ID: 29610e3d48fa667f6ea2b8933b0b61c1d5bf7bd86fe0e61c1811d6be8df87ba2
                                • Opcode Fuzzy Hash: df31ce744ea3bd017dcd2538c7af44125d8d96a838a46014524ec7f20740b481
                                • Instruction Fuzzy Hash: 43414BB4A506027797847B79891B5BDBB1BAB42305F40005DEC0347AC6EE129CA88BE7
                                Function 006A1346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 006A138A
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A059F
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A05B1
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A05C3
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A05D5
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A05E7
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A05F9
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A060B
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A061D
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A062F
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A0641
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A0653
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A0665
                                  • Part of subcall function 006A0582: _free.LIBCMT ref: 006A0677
                                • _free.LIBCMT ref: 006A137F
                                  • Part of subcall function 00696802: HeapFree.KERNEL32(00000000,00000000,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?), ref: 00696818
                                  • Part of subcall function 00696802: GetLastError.KERNEL32(?,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?,?), ref: 0069682A
                                • _free.LIBCMT ref: 006A13A1
                                • _free.LIBCMT ref: 006A13B6
                                • _free.LIBCMT ref: 006A13C1
                                • _free.LIBCMT ref: 006A13E3
                                • _free.LIBCMT ref: 006A13F6
                                • _free.LIBCMT ref: 006A1404
                                • _free.LIBCMT ref: 006A140F
                                • _free.LIBCMT ref: 006A1447
                                • _free.LIBCMT ref: 006A144E
                                • _free.LIBCMT ref: 006A146B
                                • _free.LIBCMT ref: 006A1483
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 54460e9a18292e7ef46406fe9d498ee9c7d28e216b11c8107ad3d7b5d35dcda2
                                • Instruction ID: a6baf6cee40081066dc8be9a5d494cb8ec83f7605a0397a72bc33b506620c9a6
                                • Opcode Fuzzy Hash: 54460e9a18292e7ef46406fe9d498ee9c7d28e216b11c8107ad3d7b5d35dcda2
                                • Instruction Fuzzy Hash: EB315C716007009FEF60AE39D946B9A73EAEF07310F20892DF498DB651DF75AD409B24
                                Function 00658BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00658D1E
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00658D56
                                • __aulldiv.LIBCMT ref: 00658D88
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                  • Part of subcall function 0066B580: GetLocalTime.KERNEL32(00000000), ref: 0066B59A
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00658EAB
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00658EC6
                                • CloseHandle.KERNEL32(00000000), ref: 00658F9F
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00658FE9
                                • CloseHandle.KERNEL32(00000000), ref: 00659037
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                • API String ID: 3086580692-2596673759
                                • Opcode ID: e4ad1c89306be9eab4a751e327b6b6d8ce6203e9ddd28475db08ee39767bb7f4
                                • Instruction ID: d4cf58681099efaa3e62469d10c3028b426f1f4bf5acb248094868d4b4ca6301
                                • Opcode Fuzzy Hash: e4ad1c89306be9eab4a751e327b6b6d8ce6203e9ddd28475db08ee39767bb7f4
                                • Instruction Fuzzy Hash: EBB190716083409FC394FB24D892BAFB7E7AF85311F40491DF88A97291EF319949CB5A
                                Function 006A0680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 55d499eb207374dce0035be486f92634e4f25ed04d7b935eaeb8a7a1b3e92d82
                                • Instruction ID: 7ba7650bd54c5ffb4c9efd0782c6d9d95457b7990f87f8736d91437ae4975d0a
                                • Opcode Fuzzy Hash: 55d499eb207374dce0035be486f92634e4f25ed04d7b935eaeb8a7a1b3e92d82
                                • Instruction Fuzzy Hash: 87C12572D40205AFEB60EBA8DC42FDF77F9AF09700F144165FA44EB682D6709D419B64
                                Function 00662AEF Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00662B08
                                  • Part of subcall function 0066BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0065407C), ref: 0066BA30
                                  • Part of subcall function 006685A3: CloseHandle.KERNEL32(006540F5,?,?,006540F5,006B5E84), ref: 006685B9
                                  • Part of subcall function 006685A3: CloseHandle.KERNEL32(006B5E84,?,?,006540F5,006B5E84), ref: 006685C2
                                • Sleep.KERNEL32(0000000A,006B5E84), ref: 00662C5A
                                • Sleep.KERNEL32(0000000A,006B5E84,006B5E84), ref: 00662CFC
                                • Sleep.KERNEL32(0000000A,006B5E84,006B5E84,006B5E84), ref: 00662D9E
                                • DeleteFileW.KERNEL32(00000000,006B5E84,006B5E84,006B5E84), ref: 00662E00
                                • DeleteFileW.KERNEL32(00000000,006B5E84,006B5E84,006B5E84), ref: 00662E37
                                • DeleteFileW.KERNEL32(00000000,006B5E84,006B5E84,006B5E84), ref: 00662E73
                                • Sleep.KERNEL32(000001F4,006B5E84,006B5E84,006B5E84), ref: 00662E8D
                                • Sleep.KERNEL32(00000064), ref: 00662ECF
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "
                                • API String ID: 1223786279-3856184850
                                • Opcode ID: 26b111d4a71157e9870f48ebab8d6383879a8e25b1e35db73466c4b6a9d8fcfe
                                • Instruction ID: 3c4a14b8ed0f1c64669299bc6893e909b1a2581d396901316701c7884fa06fb1
                                • Opcode Fuzzy Hash: 26b111d4a71157e9870f48ebab8d6383879a8e25b1e35db73466c4b6a9d8fcfe
                                • Instruction Fuzzy Hash: AD0215315083414BC3A8FB61D8A1BEFB3E6AF95305F50491DF88A87192EF705A4DC75A
                                Function 006A5C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006A5929: CreateFileW.KERNEL32(00000000,00000000,?,006A5D04,?,?,00000000,?,006A5D04,00000000,0000000C), ref: 006A5946
                                • GetLastError.KERNEL32 ref: 006A5D6F
                                • __dosmaperr.LIBCMT ref: 006A5D76
                                • GetFileType.KERNEL32(00000000), ref: 006A5D82
                                • GetLastError.KERNEL32 ref: 006A5D8C
                                • __dosmaperr.LIBCMT ref: 006A5D95
                                • CloseHandle.KERNEL32(00000000), ref: 006A5DB5
                                • CloseHandle.KERNEL32(?), ref: 006A5EFF
                                • GetLastError.KERNEL32 ref: 006A5F31
                                • __dosmaperr.LIBCMT ref: 006A5F38
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: 76dfac9df87cdbf2c27412410964cd4d6f45062542ae07496aa8f724aaa43a3e
                                • Instruction ID: de1c9ae84ed175923ae0fed9d4239ae84149d21d45909b9bcb70a8552243580b
                                • Opcode Fuzzy Hash: 76dfac9df87cdbf2c27412410964cd4d6f45062542ae07496aa8f724aaa43a3e
                                • Instruction Fuzzy Hash: A5A12132A106489FDF19FF68DC55BAE7BA2AB07320F24014DE8129B3A1DB309D56CF55
                                Function 0069ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,th,0068EA74,?,?,PklNl,0069AF1A,00000001,00000001,A4E85006), ref: 0069AD23
                                • __alloca_probe_16.LIBCMT ref: 0069AD5B
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PklNl,0069AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0069ADA9
                                • __alloca_probe_16.LIBCMT ref: 0069AE40
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0069AEA3
                                • __freea.LIBCMT ref: 0069AEB0
                                  • Part of subcall function 006961B8: RtlAllocateHeap.NTDLL(00000000,00685349,?,?,006888C7,?,?,00000000,006C6B50,?,0065DE9D,00685349,?,?,?,?), ref: 006961EA
                                • __freea.LIBCMT ref: 0069AEB9
                                • __freea.LIBCMT ref: 0069AEDE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                • String ID: PklNl$th
                                • API String ID: 3864826663-4072370316
                                • Opcode ID: 5ff59b8a65c9f8b9b4af0bfc3711e88ce72fa0d07b26566d0645f11de7091509
                                • Instruction ID: 28357b4a2608b3952dbde1517262d3f0c8fcfe832fa283bbe62581ca28299f13
                                • Opcode Fuzzy Hash: 5ff59b8a65c9f8b9b4af0bfc3711e88ce72fa0d07b26566d0645f11de7091509
                                • Instruction Fuzzy Hash: 4C51CE72600216AFDF259FA4CC45EEB77EFEB85750B154629FC04D6A40EB34DC40A6E1
                                Function 0065F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,006C50E4,?,006C5338), ref: 0065F4C9
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,006C5338), ref: 0065F4F4
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0065F510
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0065F58F
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,006C5338), ref: 0065F59E
                                  • Part of subcall function 0066C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0066C286
                                  • Part of subcall function 0066C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0066C299
                                • CloseHandle.KERNEL32(00000000,?,006C5338), ref: 0065F6A9
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                • API String ID: 3756808967-1743721670
                                • Opcode ID: 42dfb3ffdf5e8ce260f04b18dcf87aa65e8e435fbe99d73265f6a9dc8c2a44d7
                                • Instruction ID: cd0415fdb79fb2338e604efd952039b14e261384c47e2b8d6242fba0312d4795
                                • Opcode Fuzzy Hash: 42dfb3ffdf5e8ce260f04b18dcf87aa65e8e435fbe99d73265f6a9dc8c2a44d7
                                • Instruction Fuzzy Hash: 0D7120705083419BC794FB20D895AEEB7E7BF91342F50082DF986471A2EF34A94DCB66
                                Function 006A0AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&l$\&l$`&l
                                • API String ID: 269201875-353644862
                                • Opcode ID: 5951f868fd363ca2d79fe5db2dbd09dd14aca2e89f0065010d08e45cb0d48370
                                • Instruction ID: 64dbeddc258e2081c7cdea1299cfe99f8fa41832e13b494525bdae1dde325428
                                • Opcode Fuzzy Hash: 5951f868fd363ca2d79fe5db2dbd09dd14aca2e89f0065010d08e45cb0d48370
                                • Instruction Fuzzy Hash: 5B61A371900205AFEB60EF68C842BAABBF6EF06720F14416AE945EB742E7709D419F54
                                Function 00664BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: 475c57dd6672248056dfb04b819ef0132b764c02cfdbfddc159a65b0cc5f5a39
                                • Instruction ID: d1cd0d1f73476fa62258ff133ae42773b2547ace8b8bd7a750712aa863f4c234
                                • Opcode Fuzzy Hash: 475c57dd6672248056dfb04b819ef0132b764c02cfdbfddc159a65b0cc5f5a39
                                • Instruction Fuzzy Hash: 2851E2B1A06301AFD724AA18C905BFA77EAEF84754F14052DF88197390EF24DD81D762
                                Function 0065D83A Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0066288B: TerminateProcess.KERNEL32(00000000,?,0065D84A), ref: 0066289B
                                  • Part of subcall function 0066288B: WaitForSingleObject.KERNEL32(000000FF,?,0065D84A), ref: 006628AE
                                  • Part of subcall function 00663733: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000208), ref: 0066374F
                                  • Part of subcall function 00663733: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00663768
                                  • Part of subcall function 00663733: RegCloseKey.KERNELBASE(?), ref: 00663773
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0065D894
                                • ShellExecuteW.SHELL32(00000000,open,00000000,006B6478,006B6478,00000000), ref: 0065D9F3
                                • ExitProcess.KERNEL32 ref: 0065D9FF
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                • API String ID: 1913171305-2411266221
                                • Opcode ID: 5ec02a6e42976108b932346e894f0f711deb51e1dbf26ea127b37bdca6e92b8d
                                • Instruction ID: 08f6b39a642b9b62033d4a4000d7e5f0598f02b982e8ad81ad0505ae70fea873
                                • Opcode Fuzzy Hash: 5ec02a6e42976108b932346e894f0f711deb51e1dbf26ea127b37bdca6e92b8d
                                • Instruction Fuzzy Hash: 3D413E719001189ACB98F764DC56DFEB7BBAF51702F00016DF806A7192FF205E8ECA98
                                Function 0065DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0065DBD5
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: 6fdaf6599453612ad91ccf25b233e152471ea6e4718d0e8ce80ef4f0a084aec8
                                • Instruction ID: dc87d788699fe0baa7ff54871d4a3d4f678ee0ebf0e16ec05c8f3f9ac6e92165
                                • Opcode Fuzzy Hash: 6fdaf6599453612ad91ccf25b233e152471ea6e4718d0e8ce80ef4f0a084aec8
                                • Instruction Fuzzy Hash: 2A4167711082009BC258F764DC92CFFB7EBAEA1352F11051EB846960E1FF709E8DC65A
                                Function 0068A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00651D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0068A912
                                • GetLastError.KERNEL32(?,?,00651D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0068A91F
                                • __dosmaperr.LIBCMT ref: 0068A926
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00651D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0068A952
                                • GetLastError.KERNEL32(?,?,?,00651D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0068A95C
                                • __dosmaperr.LIBCMT ref: 0068A963
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00651D55,?), ref: 0068A9A6
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00651D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0068A9B0
                                • __dosmaperr.LIBCMT ref: 0068A9B7
                                • _free.LIBCMT ref: 0068A9C3
                                • _free.LIBCMT ref: 0068A9CA
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: d692704d43f394e2cf64b3c4f09e368dcfebf6c4fc1234823491a3dc4cc13a7b
                                • Instruction ID: 51765995dbb95bfe7c3ca91ddcc0f403ac989efeeec5a907807463fef393ffd6
                                • Opcode Fuzzy Hash: d692704d43f394e2cf64b3c4f09e368dcfebf6c4fc1234823491a3dc4cc13a7b
                                • Instruction Fuzzy Hash: 4731727290920ABFEF11BFE4CC45DAE3B6EEF05320B21421AFD1056291DB318D51DB61
                                Function 00669662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7
                                • API String ID: 0-3177665633
                                • Opcode ID: dabffe8e0a727c099c3b81dc2df3f9eba444675d9ab9aa24ee6dac6b962b2cef
                                • Instruction ID: cad27e26a4f1edf3273233f2b277a927f85135d3fc93f08046527e683514083d
                                • Opcode Fuzzy Hash: dabffe8e0a727c099c3b81dc2df3f9eba444675d9ab9aa24ee6dac6b962b2cef
                                • Instruction Fuzzy Hash: 9A71E1705087029FD724EF20D8A6BAA7FDA9F85710F10490DFD92572D2DA70AB0DC7A6
                                Function 006554A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 006554BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0065556F
                                • TranslateMessage.USER32(?), ref: 0065557E
                                • DispatchMessageA.USER32(?), ref: 00655589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,006C4F78), ref: 00655641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00655679
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 9294a9081e5a41bf88be72856bee9f52ae5a7afaa0043cb33dc9466d21c8c6cf
                                • Instruction ID: 0f8eebd214c8cf7e8dea2ea9cd67c63385900ff3f7d2bac7e0b8cd396aadc560
                                • Opcode Fuzzy Hash: 9294a9081e5a41bf88be72856bee9f52ae5a7afaa0043cb33dc9466d21c8c6cf
                                • Instruction Fuzzy Hash: B141AE72604601ABCB54FB75DC6A9AF37EBAF86701F40091CFD1287291EF349909CB96
                                Function 0066697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 0066697C
                                • EmptyClipboard.USER32 ref: 0066698A
                                • CloseClipboard.USER32 ref: 00666990
                                • OpenClipboard.USER32 ref: 00666997
                                • GetClipboardData.USER32(0000000D), ref: 006669A7
                                • GlobalLock.KERNEL32(00000000), ref: 006669B0
                                • GlobalUnlock.KERNEL32(00000000), ref: 006669B9
                                • CloseClipboard.USER32 ref: 006669BF
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !De
                                • API String ID: 2172192267-1862527507
                                • Opcode ID: a456accf1018db1b2b015240427354f857657d0e8e66a57ca7273aefebbb19d2
                                • Instruction ID: 693550c11de3aca377951d9e721e598aa5986fbae22e9e1a8e485b55712dd25a
                                • Opcode Fuzzy Hash: a456accf1018db1b2b015240427354f857657d0e8e66a57ca7273aefebbb19d2
                                • Instruction Fuzzy Hash: 19019E71204200AFCB54BF34EC49AAE7BA7AF82702F50146DF906C65E1DF3198488A31
                                Function 0066AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0066A517,00000000), ref: 0066ABAD
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0066A517,00000000), ref: 0066ABC4
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A517,00000000), ref: 0066ABD1
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0066A517,00000000), ref: 0066ABE0
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A517,00000000), ref: 0066ABF1
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A517,00000000), ref: 0066ABF4
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: e62b56c3a176384170fbb65cb6a792061318bbed2bbb115ea88c0e3dbe1181e9
                                • Instruction ID: 2e9482ce198258dcd0af23bba0a2ab1f4f80966772ceb6adee82ec7f61ddfeb4
                                • Opcode Fuzzy Hash: e62b56c3a176384170fbb65cb6a792061318bbed2bbb115ea88c0e3dbe1181e9
                                • Instruction Fuzzy Hash: 8711E1319001187FD710BBA49C89DFF3B6EDB833A5B20101DFE06A6140EB246D46AEB2
                                Function 006981A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 006981B5
                                  • Part of subcall function 00696802: HeapFree.KERNEL32(00000000,00000000,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?), ref: 00696818
                                  • Part of subcall function 00696802: GetLastError.KERNEL32(?,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?,?), ref: 0069682A
                                • _free.LIBCMT ref: 006981C1
                                • _free.LIBCMT ref: 006981CC
                                • _free.LIBCMT ref: 006981D7
                                • _free.LIBCMT ref: 006981E2
                                • _free.LIBCMT ref: 006981ED
                                • _free.LIBCMT ref: 006981F8
                                • _free.LIBCMT ref: 00698203
                                • _free.LIBCMT ref: 0069820E
                                • _free.LIBCMT ref: 0069821C
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 7160a93bb3776566c4f85904de0ef97ba9f48e54fc5c2c68528266db90cf7159
                                • Instruction ID: 3f5c7bdae0eabc80c8a6fbf6652bed4fd0ee7924747b72f83069998b4a57db43
                                • Opcode Fuzzy Hash: 7160a93bb3776566c4f85904de0ef97ba9f48e54fc5c2c68528266db90cf7159
                                • Instruction Fuzzy Hash: 6111B9B6501208BFCF41EF54C952CD93B6AFF04350B4145A9F9498FA22DB71DE50AB94
                                Function 0066A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0066A04A
                                • GdiplusStartup.GDIPLUS(006C4ACC,?,00000000), ref: 0066A07C
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0066A108
                                • Sleep.KERNEL32(000003E8), ref: 0066A18E
                                • GetLocalTime.KERNEL32(?), ref: 0066A196
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0066A285
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                • API String ID: 489098229-3790400642
                                • Opcode ID: b0e64424c1ddfbc9d23977b04e21cefb9454478889e06876d94d9e6cf102d449
                                • Instruction ID: 6d608d0bee588f6160d870b96f8bd59af28bd7e85b20375fc3f70d36c73639e4
                                • Opcode Fuzzy Hash: b0e64424c1ddfbc9d23977b04e21cefb9454478889e06876d94d9e6cf102d449
                                • Instruction Fuzzy Hash: FC517370A002149BCB94FBB4CC52AFD7BABAF56301F44006DF946AB291EF345E49CB65
                                Function 0069B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PklNl,0069BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0069B47E
                                • __fassign.LIBCMT ref: 0069B4F9
                                • __fassign.LIBCMT ref: 0069B514
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0069B53A
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0069BBB1,00000000,?,?,?,?,?,?,?,?,PklNl,0069BBB1,?), ref: 0069B559
                                • WriteFile.KERNEL32(?,?,00000001,0069BBB1,00000000,?,?,?,?,?,?,?,?,PklNl,0069BBB1,?), ref: 0069B592
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID: PklNl
                                • API String ID: 1324828854-3463370728
                                • Opcode ID: 2ef626e7a9037810ee33ab3c7fe69cec1f7a1a3672401277e0f5b408be89d441
                                • Instruction ID: 35ee4c10d3048ccfbe98a3bcf1cefaecd2e6cfecfcf1057998ff4f52ae7244da
                                • Opcode Fuzzy Hash: 2ef626e7a9037810ee33ab3c7fe69cec1f7a1a3672401277e0f5b408be89d441
                                • Instruction Fuzzy Hash: E351D6709002499FCF10CFA8ED45AEEBBFAEF49310F15515AE955E7291D730A941CF60
                                Function 006674D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00667530
                                  • Part of subcall function 0066C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0065412F,006B5E84), ref: 0066C52F
                                • Sleep.KERNEL32(00000064), ref: 0066755C
                                • DeleteFileW.KERNEL32(00000000), ref: 00667590
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: db46418e7ef74202850784db6d1180b708a9106a6707957bb9bb8b88a901dc10
                                • Instruction ID: 31bc9c173a53de5e96a23fd905e4149e63f4d3fcce255a9ae4ee8f2aba64be11
                                • Opcode Fuzzy Hash: db46418e7ef74202850784db6d1180b708a9106a6707957bb9bb8b88a901dc10
                                • Instruction Fuzzy Hash: B53192719401185ACB88FB60DC92EFD7776AF11316F40016CF806A71D2EF206E8ECB98
                                Function 006573E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(006C2B14,00000000,006C52D8,00003000,00000004,00000000,00000001), ref: 00657418
                                • GetCurrentProcess.KERNEL32(006C2B14,00000000,00008000,?,00000000,00000001,00000000,00657691,C:\Windows\SysWOW64\svchost.exe), ref: 006574D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: 531f18fdef5daa23f2428337245aff80b432e4d90c2bf9fa94aa7827f85b3127
                                • Instruction ID: a95d58c18dddeb4dbb0c7b6ce06c8b81945652a98019601fb49261722555d5aa
                                • Opcode Fuzzy Hash: 531f18fdef5daa23f2428337245aff80b432e4d90c2bf9fa94aa7827f85b3127
                                • Instruction Fuzzy Hash: F131A1B2204302AFD750EFA5EC56F7A77BBEB04306F001518FD0292251DBB4E9498B65
                                Function 0066D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0066D507
                                  • Part of subcall function 0066D5A0: RegisterClassExA.USER32(00000030), ref: 0066D5EC
                                  • Part of subcall function 0066D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0066D607
                                  • Part of subcall function 0066D5A0: GetLastError.KERNEL32 ref: 0066D611
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0066D53E
                                • lstrcpynA.KERNEL32(006C4B60,Remcos,00000080), ref: 0066D558
                                • Shell_NotifyIconA.SHELL32(00000000,006C4B48), ref: 0066D56E
                                • TranslateMessage.USER32(?), ref: 0066D57A
                                • DispatchMessageA.USER32(?), ref: 0066D584
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0066D591
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: 42fd63bee7cd9d73dfcd289323c899867140f40b28b2cab646432dde3e70d0af
                                • Instruction ID: 9e0a8b26f1741a1f976bec90f8905822f8354d103ff353b88a5a6ab7d139b866
                                • Opcode Fuzzy Hash: 42fd63bee7cd9d73dfcd289323c899867140f40b28b2cab646432dde3e70d0af
                                • Instruction Fuzzy Hash: B2016571900244ABDB10EFA5EC1CFABBB7EEB82704F105019F511D31A0DB74A845CF60
                                Function 006951FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00698295: GetLastError.KERNEL32(?,0068F770,0068A875,0068F770,006C4EF8,PklNl,0068CE65,FF8BC35D,006C4EF8,006C4EF8), ref: 00698299
                                  • Part of subcall function 00698295: _free.LIBCMT ref: 006982CC
                                  • Part of subcall function 00698295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0069830D
                                  • Part of subcall function 00698295: _abort.LIBCMT ref: 00698313
                                • _memcmp.LIBVCRUNTIME ref: 006954A4
                                • _free.LIBCMT ref: 00695515
                                • _free.LIBCMT ref: 0069552E
                                • _free.LIBCMT ref: 00695560
                                • _free.LIBCMT ref: 00695569
                                • _free.LIBCMT ref: 00695575
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 01f19e73cbf3a7d55dacf2879ded75234511b5b3f1548c7f90fb0cd9043b6fcf
                                • Instruction ID: 9df74d97e5ce5fe0dadcc58a7788f7ade80573bdbd7423b04a1f3d7adcab34b7
                                • Opcode Fuzzy Hash: 01f19e73cbf3a7d55dacf2879ded75234511b5b3f1548c7f90fb0cd9043b6fcf
                                • Instruction Fuzzy Hash: 89B15975A016199FDF65DF18C884AADB7BAFF08304F5045AEE80AA7751E730AE90CF40
                                Function 00664945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 8f99e1dd9f9990ded8192061ad069664bba4ddf5cf43f93f1b291f6dae4a292a
                                • Instruction ID: 8d720cbd5fc6ebc6a6d8fa58c278881f8caaf4538c2e95e5f9e99f24f64368d9
                                • Opcode Fuzzy Hash: 8f99e1dd9f9990ded8192061ad069664bba4ddf5cf43f93f1b291f6dae4a292a
                                • Instruction Fuzzy Hash: 1C71A9306483429FDB289F94C48176ABBE6EF88744F14496EF88687350EF70CD45CB96
                                Function 00661530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                • API String ID: 3578746661-168337528
                                • Opcode ID: 45813dd6c5817297be40f6fe990eff26b73638ea7c8086dde60208768030a1ed
                                • Instruction ID: e6fb837bb71e26f1b1d06f075227bda95780520c7f4142624946a899c7968324
                                • Opcode Fuzzy Hash: 45813dd6c5817297be40f6fe990eff26b73638ea7c8086dde60208768030a1ed
                                • Instruction Fuzzy Hash: F751C471A042015BC754FB35D866B7E3AA7AF96301F44052DFC028F2E2DF34994AC78A
                                Function 0065799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,006C4EE0,006B5FB4,?,00000000,00658037,00000000), ref: 00657A00
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00658037,00000000,?,?,0000000A,00000000), ref: 00657A48
                                  • Part of subcall function 00654AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00654B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00658037,00000000,?,?,0000000A,00000000), ref: 00657A88
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00657AA5
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00657AD0
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00657AE0
                                  • Part of subcall function 00654B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,006C4EF8,00654C49,00000000,00000000,00000000,?,006C4EF8,?), ref: 00654BA5
                                  • Part of subcall function 00654B96: SetEvent.KERNEL32(00000000), ref: 00654BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: b62ff1b16f69c43c13e137802eecb80e3261f6509b15c86326a5f8d44388d93c
                                • Instruction ID: 7cd21c2c9d76d8e83edce97a0e4664fc9013ba7e25ea52885028517846e893b4
                                • Opcode Fuzzy Hash: b62ff1b16f69c43c13e137802eecb80e3261f6509b15c86326a5f8d44388d93c
                                • Instruction Fuzzy Hash: 1131AE71508340AFC750EB60D845A9FB3EAFF95356F00491DB88692151EB70AE4CCBAA
                                Function 0065A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0065A30E
                                • SetWindowsHookExA.USER32(0000000D,0065A2DF,00000000), ref: 0065A31C
                                • GetLastError.KERNEL32 ref: 0065A328
                                  • Part of subcall function 0066B580: GetLocalTime.KERNEL32(00000000), ref: 0066B59A
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0065A376
                                • TranslateMessage.USER32(?), ref: 0065A385
                                • DispatchMessageA.USER32(?), ref: 0065A390
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0065A33C
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: 6dbdc0c2f45b0f452476465c8ba33fcc4e30d8d6436459f97ff66d2bfbfcd24e
                                • Instruction ID: 62cb839b3fbdad8e85ba5aa244cb80566f1688b4cbc27635374cb5621932af1d
                                • Opcode Fuzzy Hash: 6dbdc0c2f45b0f452476465c8ba33fcc4e30d8d6436459f97ff66d2bfbfcd24e
                                • Instruction Fuzzy Hash: F111A771510201AFCB107FB59C0A8AB77FEEB96716F60162DFC42C3290EA309908CB72
                                Function 006699DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32 ref: 00669A25
                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00669A4D
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00669A74
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00669A92
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00669AB2
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00669AD7
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00669AF9
                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00669B1C
                                  • Part of subcall function 006699CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 006699D4
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend$Virtual
                                • String ID:
                                • API String ID: 1167301434-0
                                • Opcode ID: 4322df02cbadec0926b48066eb2eadf3d4c1c1d0a776c2d178642624e5188e15
                                • Instruction ID: ca55d3994ebed668296bab482c2eb24868c87272da53d84ceac2f6837423641d
                                • Opcode Fuzzy Hash: 4322df02cbadec0926b48066eb2eadf3d4c1c1d0a776c2d178642624e5188e15
                                • Instruction Fuzzy Hash: F2319F21248349A9E220DFA5DC41BAFFBED9FC9B40F08090FB98457291CAB0994C8777
                                Function 0065A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0065A451
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0065A45D
                                • GetKeyboardLayout.USER32(00000000), ref: 0065A464
                                • GetKeyState.USER32(00000010), ref: 0065A46E
                                • GetKeyboardState.USER32(?), ref: 0065A479
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0065A49C
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0065A4FC
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0065A535
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: 616d36cf5fb885e69f0ae60fd21a2cd0dc1916685de7adf7b6e95ec8a0006384
                                • Instruction ID: 3dd8815d0943c65724d1670d7a6dd43d30d3769608bec311f7ba264e84701818
                                • Opcode Fuzzy Hash: 616d36cf5fb885e69f0ae60fd21a2cd0dc1916685de7adf7b6e95ec8a0006384
                                • Instruction Fuzzy Hash: 1A317F72104308BFD711DB94DC45FEB7BEDFB88744F10092AB645C61A0E6B1E9588BA2
                                Function 006975F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$h{i
                                • API String ID: 2936374016-3432184956
                                • Opcode ID: 9861600851db122680324fc9b196e69c61c03f317d8c7299752730c98ac106c6
                                • Instruction ID: 83f39a55c62264fb56b5b6081bfa0424ef6ef1ab3f796538f54835aaaeef067c
                                • Opcode Fuzzy Hash: 9861600851db122680324fc9b196e69c61c03f317d8c7299752730c98ac106c6
                                • Instruction Fuzzy Hash: 53D12331928206CADF289F68C955BFEB7BBFF01700F24415AE501ABB51D3359E41CBA0
                                Function 00699210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00699292
                                • _free.LIBCMT ref: 006992B6
                                • _free.LIBCMT ref: 0069943D
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006AF244), ref: 0069944F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006C2764,000000FF,00000000,0000003F,00000000,?,?), ref: 006994C7
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006C27B8,000000FF,?,0000003F,00000000,?), ref: 006994F4
                                • _free.LIBCMT ref: 00699609
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: c259ef3fac717efbd21c839847f950b18a9eca531c54eee8fc7ba99c8a74fb75
                                • Instruction ID: ffced723efb5531510ba99d6b248a0e305cccbd750c7324d45fef3fb2621a70a
                                • Opcode Fuzzy Hash: c259ef3fac717efbd21c839847f950b18a9eca531c54eee8fc7ba99c8a74fb75
                                • Instruction Fuzzy Hash: 3DC1F671900245ABDF259F7D8851AFA7BAFEF46310F1401AEE88597B91D7308E42C774
                                Function 006A11AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0068F918,?,00000000,?,00000001,?,000000FF,00000001,0068F918,?), ref: 006A11F9
                                • __alloca_probe_16.LIBCMT ref: 006A1231
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006A1282
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006A1294
                                • __freea.LIBCMT ref: 006A129D
                                  • Part of subcall function 006961B8: RtlAllocateHeap.NTDLL(00000000,00685349,?,?,006888C7,?,?,00000000,006C6B50,?,0065DE9D,00685349,?,?,?,?), ref: 006961EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID: PklNl
                                • API String ID: 313313983-3463370728
                                • Opcode ID: dceeccdbf45e7488c2440cc1c397d2367d6c0c33d29af1536f902216f617dd95
                                • Instruction ID: 52d8e51e4f5e28fb57f1b4f62b7066a8b34ec05be29bdc9bce66a3c8b61f1c68
                                • Opcode Fuzzy Hash: dceeccdbf45e7488c2440cc1c397d2367d6c0c33d29af1536f902216f617dd95
                                • Instruction Fuzzy Hash: CA31B371A0020A9BDF25AF64DC45EEE7BA6EB42710F144168FC05DB251E735DE91CFA0
                                Function 0066B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00663656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,006C50E4), ref: 00663678
                                  • Part of subcall function 00663656: RegQueryValueExW.ADVAPI32(?,0065F34E,00000000,00000000,?,00000400), ref: 00663697
                                  • Part of subcall function 00663656: RegCloseKey.ADVAPI32(?), ref: 006636A0
                                  • Part of subcall function 0066C048: GetCurrentProcess.KERNEL32(?,?,?,0065DAE5,WinDir,00000000,00000000), ref: 0066C059
                                  • Part of subcall function 0066C048: IsWow64Process.KERNEL32(00000000,?,?,0065DAE5,WinDir,00000000,00000000), ref: 0066C060
                                • _wcslen.LIBCMT ref: 0066B7F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: .exe$8Sl$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-1625010022
                                • Opcode ID: e9ad3413c57ce921def6dfb8c8c5149f318fc27be91d6bd21839464c6f668ac5
                                • Instruction ID: 9477839977fdc36d18dba18483cf1e63f9e7659203f22670febf0cc14fda5c1c
                                • Opcode Fuzzy Hash: e9ad3413c57ce921def6dfb8c8c5149f318fc27be91d6bd21839464c6f668ac5
                                • Instruction Fuzzy Hash: C5218662A001046BDF54BAB48C92EFD76AF9F49331F14153DF806A7282EE249D4D4368
                                Function 006A6BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26bb1df35f57844d4fc7b2eb482c174cd253ccfff389614534a06d872d2fbd10
                                • Instruction ID: 44a33a0bd4b97e3a6c15e209832c357fa799fa7128d9763d6810ac91ad384e61
                                • Opcode Fuzzy Hash: 26bb1df35f57844d4fc7b2eb482c174cd253ccfff389614534a06d872d2fbd10
                                • Instruction Fuzzy Hash: 2311E4B2504214BFDF207F75DC09A6B3AAEEF87730B244618B956C6251EA309C418BB0
                                Function 0066B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0066B438
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0066B44E
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0066B467
                                • InternetCloseHandle.WININET(00000000), ref: 0066B4AD
                                • InternetCloseHandle.WININET(00000000), ref: 0066B4B0
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0066B448
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 4df6452045e1a8752066d2c2cc1d61f0e2d1c93a58065bb6f19f492c0560daab
                                • Instruction ID: 27651f06cc46745b6c8c7656c90e907f0db0fb6a8a7496f2ce0bb59ceae9aafe
                                • Opcode Fuzzy Hash: 4df6452045e1a8752066d2c2cc1d61f0e2d1c93a58065bb6f19f492c0560daab
                                • Instruction Fuzzy Hash: 2F118F311063226BD324BB269C59DAF7FDEEF86761F10052DF80592281DB64A948CAB6
                                Function 0066119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 006611AB
                                • int.LIBCPMT ref: 006611BE
                                  • Part of subcall function 0065E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0065E10D
                                  • Part of subcall function 0065E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0065E127
                                • std::_Facet_Register.LIBCPMT ref: 006611FE
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00661207
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00661225
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (ml
                                • API String ID: 2536120697-1565062867
                                • Opcode ID: 04a94989b0fcdb05c698fdf1caaa0a33b1d31a10a2118f3a8767ad19dc7b68bd
                                • Instruction ID: 129c2113882a76b0126e13b5e4e3068fc8bdc4c59fe74a9bf98c8a61601d68d3
                                • Opcode Fuzzy Hash: 04a94989b0fcdb05c698fdf1caaa0a33b1d31a10a2118f3a8767ad19dc7b68bd
                                • Instruction Fuzzy Hash: E1112372A00118A7CB14FBA8D806CEDBB6B9F40361F14015EF805EB2A0DB719E458BD4
                                Function 0066B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0066C048: GetCurrentProcess.KERNEL32(?,?,?,0065DAE5,WinDir,00000000,00000000), ref: 0066C059
                                  • Part of subcall function 0066C048: IsWow64Process.KERNEL32(00000000,?,?,0065DAE5,WinDir,00000000,00000000), ref: 0066C060
                                  • Part of subcall function 006635E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00663605
                                  • Part of subcall function 006635E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00663622
                                  • Part of subcall function 006635E1: RegCloseKey.ADVAPI32(?), ref: 0066362D
                                • StrToIntA.SHLWAPI(00000000,006BCA08,00000000,00000000,00000000,006C50E4,00000003,Exe,00000000,0000000E,00000000,006B60CC,00000003,00000000), ref: 0066B3CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-2070987746
                                • Opcode ID: 01bd454c13e7c8eab7fd2287bd1af9305511cf5400d7320800bfa9c99c6aded9
                                • Instruction ID: 9f5eb70f00303397a523edc9137fbc70eb9c80b8ca99ff458133fa6e072dd05c
                                • Opcode Fuzzy Hash: 01bd454c13e7c8eab7fd2287bd1af9305511cf5400d7320800bfa9c99c6aded9
                                • Instruction Fuzzy Hash: EC115CA06402455AC740F368CC97EBE775B8751311F40012DF802A72D2FB541E8683E9
                                Function 0068A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0068A3D1,0068933E), ref: 0068A3E8
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0068A3F6
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0068A40F
                                • SetLastError.KERNEL32(00000000,?,0068A3D1,0068933E), ref: 0068A461
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: 2a3896cfcb0a4824013568a83278ba9519f3af0ddab1abe39a7d4e2564e052d6
                                • Instruction ID: adea3a36b084f8d21323f3ece7dbd59a5d7c861dc47d3b7b4eb02c80dc3c2698
                                • Opcode Fuzzy Hash: 2a3896cfcb0a4824013568a83278ba9519f3af0ddab1abe39a7d4e2564e052d6
                                • Instruction Fuzzy Hash: 8E01B5323192115EBB6436B46C99ABB2A8BDB033B4720432EF914496E2EF925C419355
                                Function 006575EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\svchost.exe), ref: 0065760B
                                  • Part of subcall function 00657538: _wcslen.LIBCMT ref: 0065755C
                                  • Part of subcall function 00657538: CoGetObject.OLE32(?,00000024,006B6528,00000000), ref: 006575BD
                                • CoUninitialize.OLE32 ref: 00657664
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Windows\SysWOW64\svchost.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-1118284336
                                • Opcode ID: 4e8ebad2465ad350a4e196542ac40d1c69373dc56fc833afe9a11940214cb1af
                                • Instruction ID: ad7baf4d616f1d5544110ebabcc204c355e7d02df77a60aaa181c98e67f67a06
                                • Opcode Fuzzy Hash: 4e8ebad2465ad350a4e196542ac40d1c69373dc56fc833afe9a11940214cb1af
                                • Instruction Fuzzy Hash: 3101B5723096146FE3246F54FC4AFAB778ADF41B26F11012EFD0186281EBA1EC0946B5
                                Function 0065BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0065BB18
                                • GetLastError.KERNEL32 ref: 0065BB22
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0065BAE3
                                • UserProfile, xrefs: 0065BAE8
                                • [Chrome Cookies found, cleared!], xrefs: 0065BB48
                                • [Chrome Cookies not found], xrefs: 0065BB3C
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: 939f0287f5279cffb6f38f55553106f94c6d343ff92a2196c772e4898cf73f62
                                • Instruction ID: 1adaf0fa544d41103413637fa7a51b9a5bb53093a6d1ad1eec05fed4c0d6b795
                                • Opcode Fuzzy Hash: 939f0287f5279cffb6f38f55553106f94c6d343ff92a2196c772e4898cf73f62
                                • Instruction Fuzzy Hash: 84012671A410055B8B44F7B5DC279FE7727A923712F40211CFC03632D6EE524A0D87D2
                                Function 006933DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PklNl,0069338B,00000003,PklNl,0069332B,00000003,006BE958,0000000C,00693482,00000003,00000002), ref: 006933FA
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0069340D
                                • FreeLibrary.KERNEL32(00000000,?,?,PklNl,0069338B,00000003,PklNl,0069332B,00000003,006BE958,0000000C,00693482,00000003,00000002,00000000,PklNl), ref: 00693430
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$PklNl$mscoree.dll
                                • API String ID: 4061214504-4171159331
                                • Opcode ID: d772bcc998967885fa48c33d8c3a7da3fbde2598256ed95ea77eb8c0d084a09a
                                • Instruction ID: 826055babaaae5f05eb6e927975df7cf1a648994b959ddfea4f029ca6a49e1c2
                                • Opcode Fuzzy Hash: d772bcc998967885fa48c33d8c3a7da3fbde2598256ed95ea77eb8c0d084a09a
                                • Instruction Fuzzy Hash: BEF04430A10218BBCF11AFA0DC49BEDBFBAEF09751F114098F806A6650DB745E41CF90
                                Function 0068AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0068ACE9
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0068AD05
                                • __allrem.LIBCMT ref: 0068AD1C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0068AD3A
                                • __allrem.LIBCMT ref: 0068AD51
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0068AD6F
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                • Instruction ID: fe3d87257429bf484c4ea4dec2eca4cff395a1d11e1928e4722de80513c36dd8
                                • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                • Instruction Fuzzy Hash: 8C81E772A00B06ABF720BEA8CC51BAA73EBAF41720F14462FF911D6781EB74DD018755
                                Function 00654371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?), ref: 006544C4
                                  • Part of subcall function 00654607: __EH_prolog.LIBCMT ref: 0065460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNl$OpenCamera
                                • API String ID: 3469354165-3753076326
                                • Opcode ID: 0e59e0dc16c85e42e22d8701c5b8ed610ef977a96afe181fb53b2c33b48fa0d7
                                • Instruction ID: 2e5f1fcf98fea09adeffd6ed86da5ef642e8802320454cfa44489a4ae15b80b9
                                • Opcode Fuzzy Hash: 0e59e0dc16c85e42e22d8701c5b8ed610ef977a96afe181fb53b2c33b48fa0d7
                                • Instruction Fuzzy Hash: 3451C371A042125BCB54FB749C66BAE3B97AB86746F00045CFC064B7D2EF348E4D839A
                                Function 0069597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: e4a91a8cf779f307603f925cb1f658c053dff2121872f11b7dc9d5af2018b66a
                                • Instruction ID: 24ec5b650d0871c48abd40e292783e8b17671d2363dae0bac111b2c41f880eca
                                • Opcode Fuzzy Hash: e4a91a8cf779f307603f925cb1f658c053dff2121872f11b7dc9d5af2018b66a
                                • Instruction Fuzzy Hash: C551EF31900A05ABDF659B68CC81EEE77AFAF45330F24431EF81696692DB35DD00D768
                                Function 0065A761 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0065A77B
                                  • Part of subcall function 0065A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0065A788), ref: 0065A6E6
                                  • Part of subcall function 0065A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0065A788), ref: 0065A6F5
                                  • Part of subcall function 0065A6B0: Sleep.KERNEL32(00002710,?,?,?,0065A788), ref: 0065A722
                                  • Part of subcall function 0065A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0065A788), ref: 0065A729
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0065A7B7
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0065A7C8
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0065A7DF
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0065A859
                                  • Part of subcall function 0066C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0065412F,006B5E84), ref: 0066C52F
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,006B6478,00000000,00000000,00000000), ref: 0065A962
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID:
                                • API String ID: 3795512280-0
                                • Opcode ID: a760a0153279b80b748709aacdedc29cb0c8aefd2c972047cf26094bd61ba73e
                                • Instruction ID: 19d1ab559ef2310689687a6f6d0f7971095350c543f747ab589ad61c4d0e079b
                                • Opcode Fuzzy Hash: a760a0153279b80b748709aacdedc29cb0c8aefd2c972047cf26094bd61ba73e
                                • Instruction Fuzzy Hash: CD518F712042045ACB94BB70D866BBE77EB9F82312F04052CFD839B2D2DF249E0DC65A
                                Function 0069A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID: PklNl
                                • API String ID: 1036877536-3463370728
                                • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                • Instruction ID: 733a4f8c9d46fdccc512b2b053be7bfdbe26137a448577736184587bafe4167c
                                • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                • Instruction Fuzzy Hash: B3A156719043869FDF21CFA8C8817EEBBEAEF51310F28416DE4849B781C2398D42C796
                                Function 00698295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,0068F770,0068A875,0068F770,006C4EF8,PklNl,0068CE65,FF8BC35D,006C4EF8,006C4EF8), ref: 00698299
                                • _free.LIBCMT ref: 006982CC
                                • _free.LIBCMT ref: 006982F4
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00698301
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0069830D
                                • _abort.LIBCMT ref: 00698313
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: c6b26f7771e711a2d09fb7d00a2644049730be807abfd9bf2f6603bb00694fe3
                                • Instruction ID: a1e4a674283ac9906fba51466db1710788259f8830e8efa3610f7e47fa8cdf01
                                • Opcode Fuzzy Hash: c6b26f7771e711a2d09fb7d00a2644049730be807abfd9bf2f6603bb00694fe3
                                • Instruction Fuzzy Hash: 8DF08135100B012FCF527735AD1AFAB265F8BC3761F35041CF91597E92EF6489028678
                                Function 0066AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0066A6B4,00000000), ref: 0066AB46
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0066A6B4,00000000), ref: 0066AB5A
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A6B4,00000000), ref: 0066AB67
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0066A6B4,00000000), ref: 0066AB76
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A6B4,00000000), ref: 0066AB88
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A6B4,00000000), ref: 0066AB8B
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: c1bbc7fb6a2a214aacf585ad30dceae51bef5b90200c728ab2a6bb2174440ef2
                                • Instruction ID: 98db5b55bb822a243605fda2cd751539b88dfc505f8fbf535b35e623ca7d7631
                                • Opcode Fuzzy Hash: c1bbc7fb6a2a214aacf585ad30dceae51bef5b90200c728ab2a6bb2174440ef2
                                • Instruction Fuzzy Hash: 9EF0C2315002187BD7107B68AC49EFB3BAEDB473A1F20105AFD0996141EB249D458DB1
                                Function 0066AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0066A634,00000000), ref: 0066AC4A
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0066A634,00000000), ref: 0066AC5E
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A634,00000000), ref: 0066AC6B
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0066A634,00000000), ref: 0066AC7A
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A634,00000000), ref: 0066AC8C
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0066A634,00000000), ref: 0066AC8F
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 21b9bff1bc51409d5d703d7cf2620fbe40ed1daf16d75b1729d2a6c9eddedaa3
                                • Instruction ID: 43ceb2618d8c8c2fe951b9d4bd743ca245cf2e247812497a86eccf96b2b19026
                                • Opcode Fuzzy Hash: 21b9bff1bc51409d5d703d7cf2620fbe40ed1daf16d75b1729d2a6c9eddedaa3
                                • Instruction Fuzzy Hash: AEF0C2315001186BD3107B68AC49EFB3BADDB47395F200019FE0996141DB24AD059DB5
                                Function 0066AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0066A731,00000000), ref: 0066AAE4
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0066A731,00000000), ref: 0066AAF9
                                • CloseServiceHandle.ADVAPI32(00000000,?,0066A731,00000000), ref: 0066AB06
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0066A731,00000000), ref: 0066AB11
                                • CloseServiceHandle.ADVAPI32(00000000,?,0066A731,00000000), ref: 0066AB23
                                • CloseServiceHandle.ADVAPI32(00000000,?,0066A731,00000000), ref: 0066AB26
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 6615a46f53886c424ecae6b1a2b01b551b4053fa84dacf7195c458b3327cfee8
                                • Instruction ID: b4fe18659f5f6aeb3355bc78373ecfcc149ae9af5acfdb138fccb1a041409771
                                • Opcode Fuzzy Hash: 6615a46f53886c424ecae6b1a2b01b551b4053fa84dacf7195c458b3327cfee8
                                • Instruction Fuzzy Hash: 5AF0E2711411286FE3107B60AC88EFF3BAEDF873E6B20001DF802961009B649C49ADB1
                                Function 0065186A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 006518BE
                                • ExitThread.KERNEL32 ref: 006518F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,006C4EE0,00000000), ref: 00651A04
                                  • Part of subcall function 00684801: __onexit.LIBCMT ref: 00684807
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: Pkl$Nl
                                • API String ID: 1649129571-3239879933
                                • Opcode ID: b9b26a6ed87690afeae34f017e58d9de3dea46525c2b1ff3336d5e682f48bf0c
                                • Instruction ID: 66cc13d2fa8e9c8dd2cd77cc9722f7ad9c729988c59fff97a76f562f65c7d32f
                                • Opcode Fuzzy Hash: b9b26a6ed87690afeae34f017e58d9de3dea46525c2b1ff3336d5e682f48bf0c
                                • Instruction Fuzzy Hash: 40415E311042419AC764FB24ECA6FBE73A7AF96312F50052DF8468B1E1DF305D4AC71A
                                Function 00692851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PklNl
                                • API String ID: 0-3463370728
                                • Opcode ID: bde398f2b0140801bde1f8dc3a6476dbbe444dad7103959342dd3c11842afb0c
                                • Instruction ID: 6554d1bd7327c419ef699191f0af664d5af6403520591c19d304ab11fedb4576
                                • Opcode Fuzzy Hash: bde398f2b0140801bde1f8dc3a6476dbbe444dad7103959342dd3c11842afb0c
                                • Instruction Fuzzy Hash: 57414C71A00705BFEB24AF78CC51B9A7BEEEF88710F10462EF045DB681D771A9068B94
                                Function 0065B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,006C50F0), ref: 0065B1AD
                                • wsprintfW.USER32 ref: 0065B22E
                                  • Part of subcall function 0065A671: SetEvent.KERNEL32(00000000,?,00000000,0065B245,00000000), ref: 0065A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: 8f30424bc726ef4fd1347969f2bfca9a27fb4cdd630e8acfdb2f686279ec0bfe
                                • Instruction ID: 9f795acc57adf4e76d94536af884729d41582480240536e3e7dfc4f02f5f2286
                                • Opcode Fuzzy Hash: 8f30424bc726ef4fd1347969f2bfca9a27fb4cdd630e8acfdb2f686279ec0bfe
                                • Instruction Fuzzy Hash: 3D115472404118BACB58FB94EC518FE77FEAE49312F10011EF80696191FF786A89C7AC
                                Function 0066D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0066D5EC
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0066D607
                                • GetLastError.KERNEL32 ref: 0066D611
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: 743255811ff5a2b7551a84ec561cc369161019b286c7be6b874d0062ee4b11b3
                                • Instruction ID: 3705bdbe3565637424f9e42e8704b8f80999b37ad32009338e38eb9b8856fe2e
                                • Opcode Fuzzy Hash: 743255811ff5a2b7551a84ec561cc369161019b286c7be6b874d0062ee4b11b3
                                • Instruction Fuzzy Hash: D501E9B1D00219ABDB11EF99DC849EFBBBEFB05354F50052AF914A6240D6715A058BB0
                                Function 00657790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 006577D6
                                • CloseHandle.KERNEL32(?), ref: 006577E5
                                • CloseHandle.KERNEL32(?), ref: 006577EA
                                Strings
                                • C:\Windows\System32\cmd.exe, xrefs: 006577D1
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 006577CC
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 4e508f5ab6ba28901d783f35298a4fd7f00ca87282ba8f8e3e195f16aeafd352
                                • Instruction ID: 3e4152e3e21bae36a4d2adb36313e739bd69702794a73cf435b062bc06f8f4c2
                                • Opcode Fuzzy Hash: 4e508f5ab6ba28901d783f35298a4fd7f00ca87282ba8f8e3e195f16aeafd352
                                • Instruction Fuzzy Hash: 17F062B294019C76CB20AAD6DC0DEDF7F7EEBC2B10F00051AF604A6054D6706150CBB0
                                Function 0065729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: C:\Windows\SysWOW64\svchost.exe$Rmc-HWAIZA
                                • API String ID: 0-3169265942
                                • Opcode ID: 1a0baaf8c89ee8fc72f7e00aac50922b01502ba4ffe94dad4c5ed8bddca84309
                                • Instruction ID: a69237157fbfe45aa56a6bce74d36b01f9022aad1ec01ed2a67a4c65e317213c
                                • Opcode Fuzzy Hash: 1a0baaf8c89ee8fc72f7e00aac50922b01502ba4ffe94dad4c5ed8bddca84309
                                • Instruction Fuzzy Hash: 10F09070615551ABCF147B34BD29FB92AA7EB86347F500428FC03CE2A2EB644C498724
                                Function 006550E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,006C4EF8), ref: 00655120
                                • SetEvent.KERNEL32(?), ref: 0065512C
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00655137
                                • CloseHandle.KERNEL32(?), ref: 00655140
                                  • Part of subcall function 0066B580: GetLocalTime.KERNEL32(00000000), ref: 0066B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: c655d77b5042ebce06400f21f1974f04fcb53fa3fb7d69f514d9797331019d2f
                                • Instruction ID: e0530756739e489aa71166f7ba8ab3e4e457927be31c07e0ad46d13412f8565d
                                • Opcode Fuzzy Hash: c655d77b5042ebce06400f21f1974f04fcb53fa3fb7d69f514d9797331019d2f
                                • Instruction Fuzzy Hash: 78F090B1914701BFDB203B748D0EAEA7EA7AB13715F10151DF883826A1D5655854CFA2
                                Function 0066B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0066B54A
                                • LoadResource.KERNEL32(00000000,?,?,0065F419,00000000), ref: 0066B55E
                                • LockResource.KERNEL32(00000000,?,?,0065F419,00000000), ref: 0066B565
                                • SizeofResource.KERNEL32(00000000,?,?,0065F419,00000000), ref: 0066B574
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: ff64a3031953a20a3d57e3f73f7d91c044018d3c90d6f4ca7a73a1e83143e9fc
                                • Instruction ID: fe958b5169071f79aa16b9ef6153768784328dc77f70ebd9fa89c88a483b82dc
                                • Opcode Fuzzy Hash: ff64a3031953a20a3d57e3f73f7d91c044018d3c90d6f4ca7a73a1e83143e9fc
                                • Instruction Fuzzy Hash: B8E01275600312ABCB252B61AC5CD963E2BFBCA7627111064F90286230CA315840DF20
                                Function 006913EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e519aaa6bba754c13a9655bcacb2bdadc1af70be5d6dde603db2c21382171215
                                • Instruction ID: f573cfa15aaabeb1b9d12a5d7d713bad6d0927d48503918461d184bea12a1267
                                • Opcode Fuzzy Hash: e519aaa6bba754c13a9655bcacb2bdadc1af70be5d6dde603db2c21382171215
                                • Instruction Fuzzy Hash: 7B719071D002179BCF219B55C884AFEBBBEAF57760F390229E411AF681D7709D42CBA0
                                Function 006993E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006AF244), ref: 0069944F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006C2764,000000FF,00000000,0000003F,00000000,?,?), ref: 006994C7
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006C27B8,000000FF,?,0000003F,00000000,?), ref: 006994F4
                                • _free.LIBCMT ref: 0069943D
                                  • Part of subcall function 00696802: HeapFree.KERNEL32(00000000,00000000,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?), ref: 00696818
                                  • Part of subcall function 00696802: GetLastError.KERNEL32(?,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?,?), ref: 0069682A
                                • _free.LIBCMT ref: 00699609
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 610513c4cd208a41126c4c5c8eeaf99cb9fe03fb64595aeed5f60506f44b6179
                                • Instruction ID: efe9202cdf9293613a8233bf0866cca85e8f54cb49b088cc21ed5b6eeb632eaa
                                • Opcode Fuzzy Hash: 610513c4cd208a41126c4c5c8eeaf99cb9fe03fb64595aeed5f60506f44b6179
                                • Instruction Fuzzy Hash: 8451D771900209AFDF11EF69DC91DFAB7BEEF45720B10026EE41497A91EB309E428B74
                                Function 0065F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0066C048: GetCurrentProcess.KERNEL32(?,?,?,0065DAE5,WinDir,00000000,00000000), ref: 0066C059
                                  • Part of subcall function 0066C048: IsWow64Process.KERNEL32(00000000,?,?,0065DAE5,WinDir,00000000,00000000), ref: 0066C060
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0065F956
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0065F97A
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0065F989
                                • CloseHandle.KERNEL32(00000000), ref: 0065FB40
                                  • Part of subcall function 0066C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0065F634,00000000,?,?,006C5338), ref: 0066C08B
                                  • Part of subcall function 0066C076: IsWow64Process.KERNEL32(00000000,?,?,?,006C5338), ref: 0066C096
                                  • Part of subcall function 0066C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0066C286
                                  • Part of subcall function 0066C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0066C299
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0065FB31
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: 842d83826a037451bb1b36050f7ff2ac32ddd91c03a9249a360f13373d4ae402
                                • Instruction ID: 425987ffd1cb8716a8b380f0270151f21e53c23893c3bbfe664e591567f1f4eb
                                • Opcode Fuzzy Hash: 842d83826a037451bb1b36050f7ff2ac32ddd91c03a9249a360f13373d4ae402
                                • Instruction Fuzzy Hash: 0F41D0311092419BC3A5FB61DC51BEFB3E6AF95302F50492DF88A87191EF306A4EC75A
                                Function 00651BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00651BF9
                                • waveInOpen.WINMM(006C2AC0,000000FF,006C2AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00651C8F
                                • waveInPrepareHeader.WINMM(006C2A88,00000020), ref: 00651CE3
                                • waveInAddBuffer.WINMM(006C2A88,00000020), ref: 00651CF2
                                • waveInStart.WINMM ref: 00651CFE
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID:
                                • API String ID: 1356121797-0
                                • Opcode ID: 0549937821a9d3f1d5779e7d4633d9bda16ccc9f33ca95d197e7979444c8fd4b
                                • Instruction ID: edefb081f8f371da7e83dc95028757aa2322d6209b10579f8c87f8c5f14447d6
                                • Opcode Fuzzy Hash: 0549937821a9d3f1d5779e7d4633d9bda16ccc9f33ca95d197e7979444c8fd4b
                                • Instruction Fuzzy Hash: 48212C71604202AFC768EFA6EC35E757BA7FF99B11B00602EA905CB6B0DB754401CF28
                                Function 0069F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0069F3E3
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0069F406
                                  • Part of subcall function 006961B8: RtlAllocateHeap.NTDLL(00000000,00685349,?,?,006888C7,?,?,00000000,006C6B50,?,0065DE9D,00685349,?,?,?,?), ref: 006961EA
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0069F42C
                                • _free.LIBCMT ref: 0069F43F
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0069F44E
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: e90719135063254030a9163be19f566266d609fdb7a47c68e53e07bc2e854aaf
                                • Instruction ID: 821840c1edad935cab6b5c1c55977c65339726d00ea031fddf0fd7be560632ab
                                • Opcode Fuzzy Hash: e90719135063254030a9163be19f566266d609fdb7a47c68e53e07bc2e854aaf
                                • Instruction Fuzzy Hash: DE0175726013157B2F212BB65C4CCBB6AEFDAC7F603660139F904D7742DAA08D0296B1
                                Function 0066C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0066C5A1,00000000,00000000,00000000), ref: 0066C4C1
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0066C5A1,00000000,00000000), ref: 0066C4DE
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0066C5A1,00000000,00000000), ref: 0066C4EA
                                • WriteFile.KERNEL32(00000000,00000000,00000000,00656FC0,00000000,?,00000004,00000000,0066C5A1,00000000,00000000), ref: 0066C4FB
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0066C5A1,00000000,00000000), ref: 0066C508
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID:
                                • API String ID: 1852769593-0
                                • Opcode ID: 629cf165e060e837e3a68e1ea180d32892d6f54faafd6624945171724e0b0d4a
                                • Instruction ID: c66f3ee5efa9415bf2104aa738fe530dc64e92d3641366fbbe9fcdb373ff9108
                                • Opcode Fuzzy Hash: 629cf165e060e837e3a68e1ea180d32892d6f54faafd6624945171724e0b0d4a
                                • Instruction Fuzzy Hash: 05112F712045157FDB10DA24DC8CEBB73EEEB83374F208629F592D22C0CE20AC058A70
                                Function 00698319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,0068BCD6,00000000,?,?,0068BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0069831E
                                • _free.LIBCMT ref: 00698353
                                • _free.LIBCMT ref: 0069837A
                                • SetLastError.KERNEL32(00000000), ref: 00698387
                                • SetLastError.KERNEL32(00000000), ref: 00698390
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 9b097bb7f61c98a8210d4b63370c87e428b1d250e1a6feb2d5c751acefa2d6c3
                                • Instruction ID: a9b76413c9bd7f816c897fc0e837deae4972c1cc47e4a10abe3efd6df8b22c30
                                • Opcode Fuzzy Hash: 9b097bb7f61c98a8210d4b63370c87e428b1d250e1a6feb2d5c751acefa2d6c3
                                • Instruction Fuzzy Hash: 6101D1361007002F8F1276A56C86EAB325F9BC3BA0739052DFA19D7E92EF748C028134
                                Function 0066C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0066C286
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0066C299
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0066C2B9
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0066C2C4
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0066C2CC
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: 2906f5b5d0363d3b430c77e57e6cb971f3abc8a441b4577c0d2668c141e56e70
                                • Instruction ID: de544898016f64879e1a9aa5eb00c950a4002d9e79fb35c79e85255aa19f4faa
                                • Opcode Fuzzy Hash: 2906f5b5d0363d3b430c77e57e6cb971f3abc8a441b4577c0d2668c141e56e70
                                • Instruction Fuzzy Hash: 83019931200A046BD71073D8DC4AFB7B27ECB80BA5F100029FE84C2291EE609E414A71
                                Function 006A0A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 006A0A54
                                  • Part of subcall function 00696802: HeapFree.KERNEL32(00000000,00000000,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?), ref: 00696818
                                  • Part of subcall function 00696802: GetLastError.KERNEL32(?,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?,?), ref: 0069682A
                                • _free.LIBCMT ref: 006A0A66
                                • _free.LIBCMT ref: 006A0A78
                                • _free.LIBCMT ref: 006A0A8A
                                • _free.LIBCMT ref: 006A0A9C
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: cd82bcfb6e4f27cf5ea0b87636eac3a8dbeed3d7a24344a4faa2da8456f7bf30
                                • Instruction ID: cd9dc3b8cae4be41dc32b8b2cc45c4465358b5691d2ec8ae8022719151c7de8d
                                • Opcode Fuzzy Hash: cd82bcfb6e4f27cf5ea0b87636eac3a8dbeed3d7a24344a4faa2da8456f7bf30
                                • Instruction Fuzzy Hash: BBF012725053006B9B60FB5CE992CA673DFAA037507789C19F249DBE43C774FC804A64
                                Function 006940E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00694106
                                  • Part of subcall function 00696802: HeapFree.KERNEL32(00000000,00000000,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?), ref: 00696818
                                  • Part of subcall function 00696802: GetLastError.KERNEL32(?,?,006A0CEF,?,00000000,?,00000000,?,006A0F93,?,00000007,?,?,006A14DE,?,?), ref: 0069682A
                                • _free.LIBCMT ref: 00694118
                                • _free.LIBCMT ref: 0069412B
                                • _free.LIBCMT ref: 0069413C
                                • _free.LIBCMT ref: 0069414D
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3b6be4f53abc47ab39cffdd7c13ad2f59b66782bb907a17d8eced1cacf466900
                                • Instruction ID: 9948e6057f46b35eb30cccebf64e29b8ee88471c267a8a645344095cb322b079
                                • Opcode Fuzzy Hash: 3b6be4f53abc47ab39cffdd7c13ad2f59b66782bb907a17d8eced1cacf466900
                                • Instruction Fuzzy Hash: DDF090718013119F8B21AF54FC22CB43B6BA716720354641AF80066A71CB308882AFD5
                                Function 0069BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PklNl
                                • API String ID: 0-3463370728
                                • Opcode ID: d5347f17ead41135b1f7cb1b7f06eaa36fc0d5a77b6b445b1de38e770525bba0
                                • Instruction ID: de3be1e850550d2a5eac9a8350a2328bea070f6c611c05dba9932578c12f0b1f
                                • Opcode Fuzzy Hash: d5347f17ead41135b1f7cb1b7f06eaa36fc0d5a77b6b445b1de38e770525bba0
                                • Instruction Fuzzy Hash: 6C51BE71D00209EBDF10AFA8EA45FEEBBBEEF45310F142149F800A7A95DB709901CB65
                                Function 00663A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00663AF7
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00663B26
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00663BC6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]
                                • API String ID: 3554306468-4262303796
                                • Opcode ID: 5bccfa4b575537a055cb1a4a920a85d8a03d28ad734aa87e1d3f1cc883690e12
                                • Instruction ID: 7587c1dab3b06ac3b5fbab037e9f1a305d346a1265a9fa3a4513a0aa62fee18e
                                • Opcode Fuzzy Hash: 5bccfa4b575537a055cb1a4a920a85d8a03d28ad734aa87e1d3f1cc883690e12
                                • Instruction Fuzzy Hash: D0514E71900129AADB54EBD5DC82EEEB7BEFF15301F100069F906E6191EF706B48CBA4
                                Function 0069E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0069E7B8
                                • _free.LIBCMT ref: 0069E8D5
                                  • Part of subcall function 0068BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0068BD3A,?,?,?,?,?,00000000,?,?,0068BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0068BD6A
                                  • Part of subcall function 0068BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0068BD8C
                                  • Part of subcall function 0068BD68: TerminateProcess.KERNEL32(00000000), ref: 0068BD93
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                • Instruction ID: faf3fb5f35e4e3e8ea7261def414cf36cb424c28ab8db8da0e258aca2ca26529
                                • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                • Instruction Fuzzy Hash: 7B519075E00219AFDF14DFA8C981AEDB7BAEF58314F24416EE854E7701E6329A01CB50
                                Function 006934D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\svchost.exe,00000104), ref: 00693515
                                • _free.LIBCMT ref: 006935E0
                                • _free.LIBCMT ref: 006935EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Windows\SysWOW64\svchost.exe
                                • API String ID: 2506810119-4069255997
                                • Opcode ID: d6a083f8be633c5ab6bf695a1be574e34b34d52854ff7231e80d7d410b1deee9
                                • Instruction ID: ea4abc32b2dde1d6d49941a5be42d15456a4fa37e40a2416084934580a93320c
                                • Opcode Fuzzy Hash: d6a083f8be633c5ab6bf695a1be574e34b34d52854ff7231e80d7d410b1deee9
                                • Instruction Fuzzy Hash: 05316DB1A00268AFDF21DF99D885DAEBBEEEB89310F11406AF80597711D6709F41DB90
                                Function 0069B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PklNl,0069BBFE,?,00000000,FF8BC35D), ref: 0069B952
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0069B980
                                • GetLastError.KERNEL32 ref: 0069B9B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                • String ID: PklNl
                                • API String ID: 2456169464-3463370728
                                • Opcode ID: f313cf2737a636638feaefd425ef05e43fa3c2d56be5122344ee2fa7818c9090
                                • Instruction ID: 1072f61fa329cfeb20e8e2357c319d99984180ec0eb62568b7ed6d09f69278fa
                                • Opcode Fuzzy Hash: f313cf2737a636638feaefd425ef05e43fa3c2d56be5122344ee2fa7818c9090
                                • Instruction Fuzzy Hash: 89319071A102199FCF14DF59ED809EAB7BAEF09300F1444ADEA0AD7650DB30AD80CF60
                                Function 0065C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0065C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0065C531
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0065C658
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0065C6C3
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0065C63E
                                • User Data\Profile ?\Network\Cookies, xrefs: 0065C670
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: b5154d0448d15ca83254d5a67aa9c4d8e74e7e688f011a859e8739773d6ed1b6
                                • Instruction ID: 43dfa934b5bfaffdc716620abb9f09b79ba62395197a687b61e6216ff05a670a
                                • Opcode Fuzzy Hash: b5154d0448d15ca83254d5a67aa9c4d8e74e7e688f011a859e8739773d6ed1b6
                                • Instruction Fuzzy Hash: 0E2121719002199BCB54FBA1DC56DEEBBBEAE51323F40001DFD02A7191EF20A94EC6A4
                                Function 0065C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0065C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0065C594
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0065C727
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0065C792
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0065C70D
                                • User Data\Profile ?\Network\Cookies, xrefs: 0065C73F
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 9f057bdd86822eca71f38c285f418b4e30e8fa362f4c56b8c406abfdf2161936
                                • Instruction ID: 307df2363bbba9613fb01a27cddcf4e5e00a10a4c5152f361ad18a7250508d04
                                • Opcode Fuzzy Hash: 9f057bdd86822eca71f38c285f418b4e30e8fa362f4c56b8c406abfdf2161936
                                • Instruction Fuzzy Hash: E62121719002199BCB54F7A1DC56DEEBB7EAE51723F40001DF902A7191EF20A94ECAA4
                                Function 0065A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0065A2B8,006C50F0,00000000,00000000), ref: 0065A239
                                • CreateThread.KERNEL32(00000000,00000000,0065A2A2,006C50F0,00000000,00000000), ref: 0065A249
                                • CreateThread.KERNEL32(00000000,00000000,0065A2C4,006C50F0,00000000,00000000), ref: 0065A255
                                  • Part of subcall function 0065B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,006C50F0), ref: 0065B1AD
                                  • Part of subcall function 0065B19F: wsprintfW.USER32 ref: 0065B22E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: e0fbd7a6c0075bf0c45b555ea44ee4e0845977e5b632b276bc2eeca164a494c5
                                • Instruction ID: b77e7d467eba4e30746db4755193d5e362b1dfca3dee1f04fb0197ac134f1202
                                • Opcode Fuzzy Hash: e0fbd7a6c0075bf0c45b555ea44ee4e0845977e5b632b276bc2eeca164a494c5
                                • Instruction Fuzzy Hash: A411C4B12002087E9220BB758C97CBB7A5FDA82395F04061DFC4602182EA616E5CCAF6
                                Function 0066B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0066B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i $PklNl
                                • API String ID: 481472006-41965614
                                • Opcode ID: 05685b0b1332fc459dcadf1494b264895be8a8f27612030f7410c6f2c434423f
                                • Instruction ID: 7369fd2fbede373f2dbb3e47a98d4fbe47a3176cd74db5dfd682a6853b5e57d6
                                • Opcode Fuzzy Hash: 05685b0b1332fc459dcadf1494b264895be8a8f27612030f7410c6f2c434423f
                                • Instruction Fuzzy Hash: 9F115E714082045AC344FB65E8519FEB3EAAB59302F50092DFC96C71E1EF28DA8DC75A
                                Function 00656A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00656ABD
                                • GetProcAddress.KERNEL32(00000000), ref: 00656AC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 57263cbe0417610622cf28ada67d82e394f00ac2da5b5599b1f7aeff2c3a3030
                                • Instruction ID: 579f4cce667ede4f0df56c383966153d27b7a074c35ed5b02375abe184d25652
                                • Opcode Fuzzy Hash: 57263cbe0417610622cf28ada67d82e394f00ac2da5b5599b1f7aeff2c3a3030
                                • Instruction Fuzzy Hash: 7801B175A04206ABCB18DFADDD549EEBBBAAB49301F00416DFD55D3340DA70A904CBA0
                                Function 0069C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PklNl,0069C382,FF8BC369,00000000,00000002,00000000,PklNl), ref: 0069C30C
                                • GetLastError.KERNEL32 ref: 0069C316
                                • __dosmaperr.LIBCMT ref: 0069C31D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastPointer__dosmaperr
                                • String ID: PklNl
                                • API String ID: 2336955059-3463370728
                                • Opcode ID: 74f69268496a175cae82af03d2da43487cc58dfb70b3166d93135d1e791af616
                                • Instruction ID: 50d9c6bd590693b56484c06951b49a8cea62fff5e98daf51aac65b4c97b9500c
                                • Opcode Fuzzy Hash: 74f69268496a175cae82af03d2da43487cc58dfb70b3166d93135d1e791af616
                                • Instruction Fuzzy Hash: A9014C32610118BFCF059F9CDC059AE7B2FDB86330B344208F9209B690EA31EE519BA0
                                Function 0065515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00655159), ref: 00655173
                                • CloseHandle.KERNEL32(?), ref: 006551CA
                                • SetEvent.KERNEL32(?), ref: 006551D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: d191149cbbbad6dc7e0a4206ad7f205ba4dd84b5c05d8c3ccbb1d3379f02ddcd
                                • Instruction ID: bf29473884acf0f9b827f47dc82eed666f6e16ec01b23b4d84caeb540a3e8ebb
                                • Opcode Fuzzy Hash: d191149cbbbad6dc7e0a4206ad7f205ba4dd84b5c05d8c3ccbb1d3379f02ddcd
                                • Instruction Fuzzy Hash: 63012431651F01AFD7357B358CAA4AABFE3BF02706B00092DE88382AA1DA20A444CF51
                                Function 0065E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0065E86E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: e1e88e2d88d6ec809a8134542fb27cf6d4f9c5bbdd60144be6ce5d9d992d7856
                                • Instruction ID: 92921c4d73d00332c1f7e2c4777c29a3fe2d132789c6287a20a50a4d2ff83909
                                • Opcode Fuzzy Hash: e1e88e2d88d6ec809a8134542fb27cf6d4f9c5bbdd60144be6ce5d9d992d7856
                                • Instruction Fuzzy Hash: E101D6619443087AEF5CE694CC03FFD339B5B20702F148459BE02655C2EA636B4DD766
                                Function 0066CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,006C4EF8,006C4EF8,PklNl,00654A40), ref: 0066CB9A
                                • LocalFree.KERNEL32(?,?), ref: 0066CBC0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: FormatFreeLocalMessage
                                • String ID: @Je$PklNl
                                • API String ID: 1427518018-1020142830
                                • Opcode ID: 664b9dfd98f8475f425354b64ee7a331ecb45740e089a65787e279621d3e8a53
                                • Instruction ID: 03b079e21a80cf380ccc31c22389c68ad0a9a66d0a1012ecf804a82df6108b67
                                • Opcode Fuzzy Hash: 664b9dfd98f8475f425354b64ee7a331ecb45740e089a65787e279621d3e8a53
                                • Instruction Fuzzy Hash: BAF0F430B0010AAACF08A765DC5ACFE772ACB81311F10402EB906A21C0DE602D099665
                                Function 0066384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0066385A
                                • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,006C52D8,771B37E0,?), ref: 00663888
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,006C52D8,771B37E0,?,?,?,?,?,0065CFE5,?,00000000), ref: 00663893
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00663858
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 1818849710-1051519024
                                • Opcode ID: 595de896a207ec25f46455c530b065a26b0789a0849aa254e4d2cb1bfa70545e
                                • Instruction ID: b6ce48e07c79b35e14ed105b39349e72535eb0865761c49d8c168f42ac62fffd
                                • Opcode Fuzzy Hash: 595de896a207ec25f46455c530b065a26b0789a0849aa254e4d2cb1bfa70545e
                                • Instruction Fuzzy Hash: 78F06D72540118BBDF00AFA0EC46FEA376EEF45791F204119FD069A150EB71AE08DAA0
                                Function 006637AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,006B612C), ref: 006637B9
                                • RegSetValueExA.ADVAPI32(006B612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0066CB42,WallpaperStyle,006B612C,00000001,006C4EE0,00000000), ref: 006637E1
                                • RegCloseKey.ADVAPI32(006B612C,?,?,0066CB42,WallpaperStyle,006B612C,00000001,006C4EE0,00000000,?,00658798,00000001), ref: 006637EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Control Panel\Desktop
                                • API String ID: 1818849710-27424756
                                • Opcode ID: a600a86bae3a546748f06f0eff46653c1eda5657842388cf10fdf842f4cb74bf
                                • Instruction ID: 7756de2b2d9c1e929085a77ddffd1d3bb7723a3eb8eafbc6ec783a39d12f520a
                                • Opcode Fuzzy Hash: a600a86bae3a546748f06f0eff46653c1eda5657842388cf10fdf842f4cb74bf
                                • Instruction Fuzzy Hash: EAF06272500118BBCB00AFA0DC45EEA3B6DEF45751F204158FD059A110EB319E14DF60
                                Function 00666C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00666C82
                                • ShowWindow.USER32(00000009), ref: 00666C9C
                                • SetForegroundWindow.USER32 ref: 00666CA8
                                  • Part of subcall function 0066CE2C: AllocConsole.KERNEL32(006C5338), ref: 0066CE35
                                  • Part of subcall function 0066CE2C: GetConsoleWindow.KERNEL32 ref: 0066CE3B
                                  • Part of subcall function 0066CE2C: ShowWindow.USER32(00000000,00000000), ref: 0066CE4E
                                  • Part of subcall function 0066CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0066CE73
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                • String ID: !De
                                • API String ID: 186401046-1862527507
                                • Opcode ID: f439ac1ab41a500e3a12a5518728659f4846ea58429718d612fa1b0b9bab9243
                                • Instruction ID: 9e0e46a495722b8ea47bc26e85390968c11e14d76cad7f5ba7ba0d102fbc6fff
                                • Opcode Fuzzy Hash: f439ac1ab41a500e3a12a5518728659f4846ea58429718d612fa1b0b9bab9243
                                • Instruction Fuzzy Hash: D6F05E70108240ABD760EB61EC56FBA7BABEB61311F105829F906C61A1DE3168488A25
                                Function 00666129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0066616B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: afbfcd670405b3a481583cd8a02f1851557a16cc64ffc5a2e069a80dc09fce35
                                • Instruction ID: c10f163cd0b73d809089cb7e769987647ee1ef4036cad8b6b11dfcb3586f534b
                                • Opcode Fuzzy Hash: afbfcd670405b3a481583cd8a02f1851557a16cc64ffc5a2e069a80dc09fce35
                                • Instruction Fuzzy Hash: 2EE0C0B02083046BC748FAA4DC96DAB72EFAA51706F50082C754396092EF649D4DCB69
                                Function 0065140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00651414
                                • GetProcAddress.KERNEL32(00000000), ref: 0065141B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: GetCursorInfo$User32.dll
                                • API String ID: 1646373207-2714051624
                                • Opcode ID: a3da30f387b21d7b9bd05bec17a0ae7f2ebc7b6c153878fd31eedc3c5e9428d9
                                • Instruction ID: 7cf2fe55b47679f486ae29000bcd2090fca186ecac55c8126f304d64b35addd2
                                • Opcode Fuzzy Hash: a3da30f387b21d7b9bd05bec17a0ae7f2ebc7b6c153878fd31eedc3c5e9428d9
                                • Instruction Fuzzy Hash: 37B092F0591700ABCF002BB4AE0EA893E2BB6057123112014F103911A0CBB0B2809F30
                                Function 006514AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 006514B9
                                • GetProcAddress.KERNEL32(00000000), ref: 006514C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: GetLastInputInfo$User32.dll
                                • API String ID: 2574300362-1519888992
                                • Opcode ID: f72f062b198fc42d8d43c2ca50cc55e94c27ec8e0599510ead9b8c46b2450dfd
                                • Instruction ID: c7f6aa73f40f78c6944310791c6b3ab53901b12e9526154a8880398f03beeb0e
                                • Opcode Fuzzy Hash: f72f062b198fc42d8d43c2ca50cc55e94c27ec8e0599510ead9b8c46b2450dfd
                                • Instruction Fuzzy Hash: B3B092F15A1301ABCB003BA4AD0E98D3A6BB7257133112045F502C11A0CBB0B2809F31
                                Function 0065C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • [Cleared browsers logins and cookies.], xrefs: 0065C11F
                                • Cleared browsers logins and cookies., xrefs: 0065C130
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 6f21504704dcb0038e62c200cc98c208fed2d0f3e9ee75ed4f9ae8074b549849
                                • Instruction ID: e816eddb265bf495bd260c2b320e5be175ec326d2c34082a444112d8f18f8392
                                • Opcode Fuzzy Hash: 6f21504704dcb0038e62c200cc98c208fed2d0f3e9ee75ed4f9ae8074b549849
                                • Instruction Fuzzy Hash: 4231B005649381AEDB25BBB458667EABF934E93766F08905CBCC40B3C3CA53484C976B
                                Function 006694FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • EnumDisplayMonitors.USER32(00000000,00000000,0066960A,00000000), ref: 00669530
                                • EnumDisplayDevicesW.USER32(?), ref: 00669560
                                • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 006695D5
                                • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 006695F2
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: DisplayEnum$Devices$Monitors
                                • String ID:
                                • API String ID: 1432082543-0
                                • Opcode ID: 8a09d4310f5cb2c78f6b62b8d66f352d069207c8a9ba1f6073fc45811c45edeb
                                • Instruction ID: a59c7c8cb8e3b56633567e950126bd05c98fed40c2ddaded9faf97ca62ba0e30
                                • Opcode Fuzzy Hash: 8a09d4310f5cb2c78f6b62b8d66f352d069207c8a9ba1f6073fc45811c45edeb
                                • Instruction Fuzzy Hash: D62181721083146BD321DB56DC85EABBBEDEFD17A1F00052EB85AC7150EF709A09C6A5
                                Function 0065A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0066C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0066C5F2
                                  • Part of subcall function 0066C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0066C5FB
                                  • Part of subcall function 0066C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0066C625
                                • Sleep.KERNEL32(000001F4), ref: 0065A5AE
                                • Sleep.KERNEL32(00000064), ref: 0065A638
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 7639ac4463e4a6dcdfa905eac35f9157b627eb85d9f6b11fd5687350ec21f67a
                                • Instruction ID: 36c6466e697456ff3383a24e9e79ce6a445b0d3d628eb7c9b5f8c687b1eaf7d2
                                • Opcode Fuzzy Hash: 7639ac4463e4a6dcdfa905eac35f9157b627eb85d9f6b11fd5687350ec21f67a
                                • Instruction Fuzzy Hash: AE11DE315146006BC258BB74CC13EAE77ABAF51306F40062DF883461E2FF20AA1C879B
                                Function 0066B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 6a4f6e871494c60316937ee9e670751a102ea809ee659df8ca6587e04f704f02
                                • Instruction ID: 4385443d662e9b6c9121a671e77fce6286d93e47d17f94498a2b6544007bd994
                                • Opcode Fuzzy Hash: 6a4f6e871494c60316937ee9e670751a102ea809ee659df8ca6587e04f704f02
                                • Instruction Fuzzy Hash: C7118273504344ABC744FBB4CC85DAF77AEABC5344F041B2DF64AC2041EE25EA488661
                                Function 00693AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 384c8567f64f4fae15af20572261ddcf608838ba019e5c3024784daf6d03092f
                                • Instruction ID: ae54f866934a9a1e7eb7c7835928319cc4b8d9cfa167aa3178cb824749bd7b30
                                • Opcode Fuzzy Hash: 384c8567f64f4fae15af20572261ddcf608838ba019e5c3024784daf6d03092f
                                • Instruction Fuzzy Hash: 5201F2B220A3263EEF202A78ACC5FA7624FCB61BB4B300329F121567D9DBA08D004174
                                Function 00693B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63bb21bb07ac5ffa5fcdc6a4aeb426ec6f8048cec80b916ff2a00f8189871698
                                • Instruction ID: dbb5d36f47cfb09516303289ac60a5fdcdc3a99ab59cd0651c39df7b799906da
                                • Opcode Fuzzy Hash: 63bb21bb07ac5ffa5fcdc6a4aeb426ec6f8048cec80b916ff2a00f8189871698
                                • Instruction Fuzzy Hash: 2701D6B25096223EEF611A7C6CC1DA7725FDF623B83350329F521557D9DF208D054170
                                Function 0065A6B0 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0065A788), ref: 0065A6E6
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0065A788), ref: 0065A6F5
                                • Sleep.KERNEL32(00002710,?,?,?,0065A788), ref: 0065A722
                                • CloseHandle.KERNEL32(00000000,?,?,?,0065A788), ref: 0065A729
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID:
                                • API String ID: 1958988193-0
                                • Opcode ID: e9240f48398fd788393197a93138deb1d6fe576d50b0dcf2c5b039bc36d6aeda
                                • Instruction ID: 0e92d8eb39587af8686d9cddca6747fecc0e634345424992a3c0a501337ecfb1
                                • Opcode Fuzzy Hash: e9240f48398fd788393197a93138deb1d6fe576d50b0dcf2c5b039bc36d6aeda
                                • Instruction Fuzzy Hash: 3E110D34200A406FDF31A7649C9DB7D7BBBAB4A353F48150DE98347A92C611795CCB36
                                Function 006985E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0069858D,?,00000000,00000000,00000000,?,006988B9,00000006,FlsSetValue), ref: 00698618
                                • GetLastError.KERNEL32(?,0069858D,?,00000000,00000000,00000000,?,006988B9,00000006,FlsSetValue,006AF170,006AF178,00000000,00000364,?,00698367), ref: 00698624
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0069858D,?,00000000,00000000,00000000,?,006988B9,00000006,FlsSetValue,006AF170,006AF178,00000000), ref: 00698632
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 1871acd3d73235d6bd1450934d79aa4b9d746373f744af02e6406d59d4ee4d43
                                • Instruction ID: 864d477cf561efe1c3d2b4c3b110b13c9f81abd9578ed26c9a1994a63b8d891c
                                • Opcode Fuzzy Hash: 1871acd3d73235d6bd1450934d79aa4b9d746373f744af02e6406d59d4ee4d43
                                • Instruction Fuzzy Hash: 0001F732212222AFCF219A79DC44E97776EAF877A1B210521FD06DB641DF21ED01CAF4
                                Function 006898E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 006898FA
                                  • Part of subcall function 00689F32: ___AdjustPointer.LIBCMT ref: 00689F7C
                                • _UnwindNestedFrames.LIBCMT ref: 00689911
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00689923
                                • CallCatchBlock.LIBVCRUNTIME ref: 00689947
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: cd28ba986fbea46ca6d324010f243aae0e52373bf6ffbe005bd28482f6828fd6
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: BC012932000109BBCF126F95CC01EEA3BBAFF48754F198218F95861120D336E862EBA4
                                Function 0066941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 0066942B
                                • GetSystemMetrics.USER32(0000004D), ref: 00669431
                                • GetSystemMetrics.USER32(0000004E), ref: 00669437
                                • GetSystemMetrics.USER32(0000004F), ref: 0066943D
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 4b130c96f9a1383c8882af143129d0ea4f6d332dd57e138d0a3c5e796e151ad0
                                • Instruction ID: 9560904c64b989feef9fefeb81363d65f7f6ec8121286fb60c5c1cdae4b82d22
                                • Opcode Fuzzy Hash: 4b130c96f9a1383c8882af143129d0ea4f6d332dd57e138d0a3c5e796e151ad0
                                • Instruction Fuzzy Hash: 17F0A4B1B003155BD740EE758C41A2B6ADA9BD4360F10053EF609C7281EEB4DC068BA0
                                Function 00665B25 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !De
                                • API String ID: 180926312-1862527507
                                • Opcode ID: e5383909d71d94afedc1c63230a5567a69653016a95b5736c7e33b075ae275d0
                                • Instruction ID: e9edb40da1939fd7c1e920616825c531a325d6a9031352981b284d64c777c5c8
                                • Opcode Fuzzy Hash: e5383909d71d94afedc1c63230a5567a69653016a95b5736c7e33b075ae275d0
                                • Instruction Fuzzy Hash: 9E5181316082019AC7A4FB35E862AFF73E7AF92301F50492DF9468B1D1EF30594EC65A
                                Function 0065404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00654066
                                  • Part of subcall function 0066BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0065407C), ref: 0066BA30
                                  • Part of subcall function 006685A3: CloseHandle.KERNEL32(006540F5,?,?,006540F5,006B5E84), ref: 006685B9
                                  • Part of subcall function 006685A3: CloseHandle.KERNEL32(006B5E84,?,?,006540F5,006B5E84), ref: 006685C2
                                  • Part of subcall function 0066C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0065412F,006B5E84), ref: 0066C52F
                                • Sleep.KERNEL32(000000FA,006B5E84), ref: 00654138
                                Strings
                                • /sort "Visit Time" /stext ", xrefs: 006540B2
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "
                                • API String ID: 368326130-1573945896
                                • Opcode ID: 7f8e09bdc0a5fb710b5008ce93b866d9e317501743baf481b80abba3b63a18df
                                • Instruction ID: 80ca029aef2988754955ddb984e34a661b31070aed65d9665f734cb19b462802
                                • Opcode Fuzzy Hash: 7f8e09bdc0a5fb710b5008ce93b866d9e317501743baf481b80abba3b63a18df
                                • Instruction Fuzzy Hash: 463141319101185BCB54FAA4DC96AFE77B7AF91306F00006DF80797192EF205E8ECA95
                                Function 00668ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00668AF9
                                  • Part of subcall function 00668691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00668B0C,00000000,?,?,?,?,00000000), ref: 006686A5
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00668B46
                                  • Part of subcall function 00668706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00668B62,00000000,?,?), ref: 00668718
                                  • Part of subcall function 006686B4: GdipDisposeImage.GDIPLUS(?,00668BBD), ref: 006686BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: cc4419b917b44e234ae0c6ca60a97e82bb492d1da69aadf5786cab1e5ed247cf
                                • Instruction ID: 5ca872e1b48bf69b0fb05f91adc21d1c1ffbac90cc035a9d00de4af682c0fc7b
                                • Opcode Fuzzy Hash: cc4419b917b44e234ae0c6ca60a97e82bb492d1da69aadf5786cab1e5ed247cf
                                • Instruction Fuzzy Hash: B2315A72504300AFC741EF64C894D6FBBEEEF8A304F000A1DF986D7211DB7999088BA6
                                Function 0065B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00684801: __onexit.LIBCMT ref: 00684807
                                • __Init_thread_footer.LIBCMT ref: 0065B7D2
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                • API String ID: 1881088180-3686566968
                                • Opcode ID: be3de6102ed6b4a69b956cefdd79015c28ce29674ab09e9ccdacdced90588ad6
                                • Instruction ID: b6b08c00729f7718c8dca5608ae82c171a5f2cd8f40838d9d725522d73c5c18f
                                • Opcode Fuzzy Hash: be3de6102ed6b4a69b956cefdd79015c28ce29674ab09e9ccdacdced90588ad6
                                • Instruction Fuzzy Hash: 582132319101098ACB54FBA4E892DEDB7B7AF55312F10112DF90667192EF346D4ECB98
                                Function 006A1BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,006A1E12,?,00000050,?,?,?,?,?), ref: 006A1C92
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: c2599a7a6c26d73a3b5834cfa36763139994731aa0807d67014bc169b9487fdf
                                • Instruction ID: 5d604c3158ef65faa95d3d4305f3eebe488b5d4197b915a78ef70a5c685f8f5f
                                • Opcode Fuzzy Hash: c2599a7a6c26d73a3b5834cfa36763139994731aa0807d67014bc169b9487fdf
                                • Instruction Fuzzy Hash: 0721A7A268010866DB34AA54C941BE7B2ABEB57B75F564424E90BDF300F736DE41CB50
                                Function 0069B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PklNl,0069BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0069B85B
                                • GetLastError.KERNEL32 ref: 0069B884
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PklNl
                                • API String ID: 442123175-3463370728
                                • Opcode ID: fc6217baf03a3b0418e77424736f20bb06489258c47bbe76618f875fa8c42ba5
                                • Instruction ID: 45f72221eab9863cca6c0e9790b40fea247436d5707c173df0dc2089d83c229b
                                • Opcode Fuzzy Hash: fc6217baf03a3b0418e77424736f20bb06489258c47bbe76618f875fa8c42ba5
                                • Instruction Fuzzy Hash: AC315E31A002199BCF24DF59DE809DAB3FAEF4C301B2495AAE519D7650E730A981CB64
                                Function 0066631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00666330
                                  • Part of subcall function 006638B2: RegCreateKeyA.ADVAPI32(80000001,00000000,006B60B4), ref: 006638C0
                                  • Part of subcall function 006638B2: RegSetValueExA.ADVAPI32(006B60B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0065C18D,006B6C58,00000001,000000AF,006B60B4), ref: 006638DB
                                  • Part of subcall function 006638B2: RegCloseKey.ADVAPI32(006B60B4,?,?,?,0065C18D,006B6C58,00000001,000000AF,006B60B4), ref: 006638E6
                                  • Part of subcall function 00659E1F: _wcslen.LIBCMT ref: 00659E38
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !De$okmode
                                • API String ID: 3411444782-3260842663
                                • Opcode ID: 870594cb7069b604e5b925bcdc4f7258425287802fa841071cff46cf43cc2615
                                • Instruction ID: a28bb08b559e91327a4d2c82dabd9aa893cca7353bc14e06114bff2cc0614b5a
                                • Opcode Fuzzy Hash: 870594cb7069b604e5b925bcdc4f7258425287802fa841071cff46cf43cc2615
                                • Instruction Fuzzy Hash: E21160717482001BDBA8BB30AC67B7D26979F92312F44082DFE438F6D2DF695C995319
                                Function 0069B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PklNl,0069BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0069B76D
                                • GetLastError.KERNEL32 ref: 0069B796
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PklNl
                                • API String ID: 442123175-3463370728
                                • Opcode ID: 955e7588c4d8a3d74497c955938923e5dab7fee637e40fdc70804904f484e167
                                • Instruction ID: 0fbb29e8587fd431d15d24f72143aa63aa3c7a6c3060322b1ba0de871538b8d7
                                • Opcode Fuzzy Hash: 955e7588c4d8a3d74497c955938923e5dab7fee637e40fdc70804904f484e167
                                • Instruction Fuzzy Hash: BE21B135A002199FCF24DF69DD80BE9B3FAEB48301F1055AAE94AD7251D730AE85CF60
                                Function 00668BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00668BE5
                                  • Part of subcall function 00668691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00668B0C,00000000,?,?,?,?,00000000), ref: 006686A5
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00668C0A
                                  • Part of subcall function 00668706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00668B62,00000000,?,?), ref: 00668718
                                  • Part of subcall function 006686B4: GdipDisposeImage.GDIPLUS(?,00668BBD), ref: 006686BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: 97781716783a04ac012d6d6c53d422cebf22bc3fefac204eadd284a83aaaa50d
                                • Instruction ID: b3d675697249564186fe64d1c5f65ae288af3f4bc7599c34d4800819e1e31064
                                • Opcode Fuzzy Hash: 97781716783a04ac012d6d6c53d422cebf22bc3fefac204eadd284a83aaaa50d
                                • Instruction Fuzzy Hash: 7321C071204211AFC744EB60CC98CAFBBEEEF8A311F10061DF94693211DF359959CBA6
                                Function 00666676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 0066667B
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 006666DD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !De
                                • API String ID: 1931167962-1862527507
                                • Opcode ID: 305bc7e8d564b66641feb9c06a984e052b9e539c9ddfa649d44afd5ea4b669bc
                                • Instruction ID: 7836a82e8a5b01ac9c0f008b5f2038689a1bf277bfc63fc1d544f3e92def974e
                                • Opcode Fuzzy Hash: 305bc7e8d564b66641feb9c06a984e052b9e539c9ddfa649d44afd5ea4b669bc
                                • Instruction Fuzzy Hash: 691151716082055BC754FB70D896ABE77EAAF52306F400C1DB9424B192EF30990DC716
                                Function 0065B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0065B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,006C50F0), ref: 0065B1AD
                                  • Part of subcall function 0065B19F: wsprintfW.USER32 ref: 0065B22E
                                  • Part of subcall function 0066B580: GetLocalTime.KERNEL32(00000000), ref: 0066B59A
                                • CloseHandle.KERNEL32(?), ref: 0065B0EF
                                • UnhookWindowsHookEx.USER32 ref: 0065B102
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: b1f7fb44cecaba576ade14bbe46d9c826a56e03246652fffed8f5f8195b8adcd
                                • Instruction ID: 1ac13a7babe09a8e7d155beb33e324c75b99b3fda33cce232172daf52c433bd3
                                • Opcode Fuzzy Hash: b1f7fb44cecaba576ade14bbe46d9c826a56e03246652fffed8f5f8195b8adcd
                                • Instruction Fuzzy Hash: CE01D835A005049BD7757B38C82B7FEBBB79B42302F50145DEC4203582EB61296ECBD6
                                Function 00698C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0068CEA5), ref: 00698CA4
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: String
                                • String ID: LCMapStringEx$PklNl
                                • API String ID: 2568140703-4266752995
                                • Opcode ID: f638b082633dec10939a77770470c188750c57b31f38bb8d7869fe2acc3fed0f
                                • Instruction ID: ecb1bb0e004e63c4aba463ac0418578e078b621164e909699f45c173fde376fe
                                • Opcode Fuzzy Hash: f638b082633dec10939a77770470c188750c57b31f38bb8d7869fe2acc3fed0f
                                • Instruction Fuzzy Hash: 38011332541108FBCF12AF90DD02EEE7F67EB4A760F054114FE1566160CA729931EF95
                                Function 00698B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,kKi,00000000,00000001,?,?,00694B6B,?,?,?,?,00000004), ref: 00698BB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$kKi
                                • API String ID: 1901932003-2265298025
                                • Opcode ID: 8e37f2119b087d3ff00d1276be635051dd912f703785f3d7e1f51d4bcbed06d8
                                • Instruction ID: cae24540a95f925cd400f08b3620df2cf6fdaa89e261a6d2b6739a235e8c968a
                                • Opcode Fuzzy Hash: 8e37f2119b087d3ff00d1276be635051dd912f703785f3d7e1f51d4bcbed06d8
                                • Instruction Fuzzy Hash: BFF0B430A80208FBCB117B60DC06FAD7B5BDB47711F110169F9056B290DE715E118AA9
                                Function 0065C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0065C531
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: 3379e1e988f29810bd88c0ff51440c5a5d15897cd6a0c047be7238c19d6abb23
                                • Instruction ID: 272ab2ef55a27fc2a368c62cd80a245ac7a1cbf082aab3b1c8a502500b8ad9a6
                                • Opcode Fuzzy Hash: 3379e1e988f29810bd88c0ff51440c5a5d15897cd6a0c047be7238c19d6abb23
                                • Instruction Fuzzy Hash: 44F08231A0431996CB54F7F8DC478FE7B6A9D10752F40016EBD42922C2EF64A98E87E8
                                Function 0065C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0065C594
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: c14192a2b0c43ad02aa44700874fab531f5c7fc11755c55812423e869505c7a2
                                • Instruction ID: 6e6cc490e65e915c5e1f9d60e3b7cd715762af2b55301d037afb334e9f260f74
                                • Opcode Fuzzy Hash: c14192a2b0c43ad02aa44700874fab531f5c7fc11755c55812423e869505c7a2
                                • Instruction Fuzzy Hash: 67F08270A0431996CB58FAF4DC478FE7B6E9E10752F40015EBD02521C2EF64A98A87E8
                                Function 0065C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0065C5F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: 30d1b9c53604be3a277fcc035a812512439c157ba918ac1990144d31213fb11a
                                • Instruction ID: a7aa35d097805b1af8935c4760379166be7c3332e252bc4baeb37e15ba653cd1
                                • Opcode Fuzzy Hash: 30d1b9c53604be3a277fcc035a812512439c157ba918ac1990144d31213fb11a
                                • Instruction Fuzzy Hash: DAF08231A0431996CB58FBB4DC478FE7B6E9D10753F00015EBD02A21C2EF649989C7E8
                                Function 0065B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0065B686
                                  • Part of subcall function 0065A41B: GetForegroundWindow.USER32 ref: 0065A451
                                  • Part of subcall function 0065A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0065A45D
                                  • Part of subcall function 0065A41B: GetKeyboardLayout.USER32(00000000), ref: 0065A464
                                  • Part of subcall function 0065A41B: GetKeyState.USER32(00000010), ref: 0065A46E
                                  • Part of subcall function 0065A41B: GetKeyboardState.USER32(?), ref: 0065A479
                                  • Part of subcall function 0065A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0065A49C
                                  • Part of subcall function 0065A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0065A4FC
                                  • Part of subcall function 0065A671: SetEvent.KERNEL32(00000000,?,00000000,0065B245,00000000), ref: 0065A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: 8be326d104b697e9c1a4bb1ebf0baff139ec5ba7026a29b733be8bf0399f3eb5
                                • Instruction ID: 4ad6d12aa30dabfd3969dfe974dfdfd691e558973e9c6aa9624ba26405c494e0
                                • Opcode Fuzzy Hash: 8be326d104b697e9c1a4bb1ebf0baff139ec5ba7026a29b733be8bf0399f3eb5
                                • Instruction Fuzzy Hash: 03E09B31700611178D98367C697B6FD2D538B42B62F42014DFC438B7D6DA994D5943DB
                                Function 006989D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0068AB37), ref: 00698A16
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID: GetSystemTimePreciseAsFileTime$PklNl
                                • API String ID: 2086374402-4182285418
                                • Opcode ID: ebc602c64794634a855780ccfebcdbface5108e0a678b7cd53104d737134d039
                                • Instruction ID: 5293fc328a8a4755d07de429a93fe832699f39082005ea5b6ac8acf00a5023fe
                                • Opcode Fuzzy Hash: ebc602c64794634a855780ccfebcdbface5108e0a678b7cd53104d737134d039
                                • Instruction Fuzzy Hash: 5FE0E531B81218AFCB517F60DC02D7EBB97DB47B00B010169F806A7280DE211D00DADA
                                Function 006661C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 006661E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !De$open
                                • API String ID: 587946157-167159646
                                • Opcode ID: 4740459e8687e698dbecb5d79161bd433db8d240cff2f7cd442bf14352083320
                                • Instruction ID: 151ffbf1d6c0bd2022bbb9e382caed725b5fab83f548a30ee4e4f4e9f91c4854
                                • Opcode Fuzzy Hash: 4740459e8687e698dbecb5d79161bd433db8d240cff2f7cd442bf14352083320
                                • Instruction Fuzzy Hash: 5DE012712482045AD794FA75EC92FFF739EAB51712F404C2DB9064A4C2EF74584DC725
                                Function 006A55CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___initconout.LIBCMT ref: 006A55DB
                                  • Part of subcall function 006A6B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006A55E0,00000000,PklNl,0069B61D,?,FF8BC35D,00000000,?,00000000), ref: 006A6BB0
                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PklNl,0069B61D,?,FF8BC35D,00000000,?,00000000,PklNl,0069BB99,?), ref: 006A55FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleCreateFileWrite___initconout
                                • String ID: PklNl
                                • API String ID: 3087715906-3463370728
                                • Opcode ID: d30cf30889d23367078e5bfc4805f29f1ee7da80f8b83b0c05bdd06d41a06c1c
                                • Instruction ID: ce659da9480bfc61bab2c6ded0231f53516b8bab95979e3cf1725d927c32fc50
                                • Opcode Fuzzy Hash: d30cf30889d23367078e5bfc4805f29f1ee7da80f8b83b0c05bdd06d41a06c1c
                                • Instruction Fuzzy Hash: D6E06D709005456BDB20EB65DC59EB9372BEB13370F600318F926CA2D1DB70ED40CA65
                                Function 0065B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0065B6E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: 1c4b1e5d5fc051d5acef3f0a2f4908914da7db2e98185e4583f92711965fef1b
                                • Instruction ID: ad046992db6828999b83eb532000b196fc00d87a697db812c812c716ee09dcaa
                                • Opcode Fuzzy Hash: 1c4b1e5d5fc051d5acef3f0a2f4908914da7db2e98185e4583f92711965fef1b
                                • Instruction Fuzzy Hash: 34E086317007111389643A7D963B6FD3923C786B62F451119FC834B6C6CA96495857D2
                                Function 0065E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00684801: __onexit.LIBCMT ref: 00684807
                                • __Init_thread_footer.LIBCMT ref: 00660F64
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kl$0kl
                                • API String ID: 1881088180-1656138661
                                • Opcode ID: 126113d1647dcaa65cc03909432a42fe9b03c5a05112c209a936937fd70603ef
                                • Instruction ID: f3ac233f4d82ba586e0e3c7eb740f57d32aa304009aaf6a18a7f5eb7b4647b5b
                                • Opcode Fuzzy Hash: 126113d1647dcaa65cc03909432a42fe9b03c5a05112c209a936937fd70603ef
                                • Instruction Fuzzy Hash: 46E0D831114551CFD654B728E445E6637D7DB09320721013EF400D72C1CF326D414B5C
                                Function 0065D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0065EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,006B60CC,00000003,00000000), ref: 0065D0B3
                                • GetLastError.KERNEL32 ref: 0065D0BE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: Rmc-HWAIZA
                                • API String ID: 1925916568-1998418401
                                • Opcode ID: bd120c27240008f1cfa94557e5390903bc4feb73d19b4b76d814d4a5526b76d2
                                • Instruction ID: f486c040d95d5a95d5861cb0249c3760773c00eb8b39d9f16c1b0f7a8d3a1f83
                                • Opcode Fuzzy Hash: bd120c27240008f1cfa94557e5390903bc4feb73d19b4b76d814d4a5526b76d2
                                • Instruction Fuzzy Hash: F1D01270615200ABDB487B709C59B6839A7DB45702F50142CF60BC95E1DAA455908921
                                Function 00690CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00651D55), ref: 00690D77
                                • GetLastError.KERNEL32 ref: 00690D85
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00690DE0
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: b117281e0645e3cc6491b1567904f07fe6b24865ba3efca47e90cbb9633a6bb0
                                • Instruction ID: 3708f0c1bbeb49c7285a2f2d945af4edf70181280a5a988a96da8f3f37fcb6d6
                                • Opcode Fuzzy Hash: b117281e0645e3cc6491b1567904f07fe6b24865ba3efca47e90cbb9633a6bb0
                                • Instruction Fuzzy Hash: EE41C631604206AFEF219FA4C8447FABBBEEF41310F244599F959977A1D770AD41CB60
                                Function 00661B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00661BC7
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00661C93
                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00661CB5
                                • SetLastError.KERNEL32(0000007E,00661F2B), ref: 00661CCC
                                Memory Dump Source
                                • Source File: 00000003.00000002.3704068669.0000000000650000.00000040.80000000.00040000.00000000.sdmp, Offset: 00650000, based on PE: true
                                • Associated: 00000003.00000002.3704068669.00000000006C4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_650000_svchost.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 0c1ef83ab510659d0a5d93fdd3e0083601400d88c571764f207d8da277252a7d
                                • Instruction ID: fdce592d38e3433eceeee517a59e507d2b04821419c82b2f9ee4ed6ded5e747a
                                • Opcode Fuzzy Hash: 0c1ef83ab510659d0a5d93fdd3e0083601400d88c571764f207d8da277252a7d
                                • Instruction Fuzzy Hash: BE41EF716443059FE7248F19DC84BAAB7EAFF4A714F08042DE94ACBB50EB34E805CB10