Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE.exe

Overview

General Information

Sample name:INVOICE.exe
Analysis ID:1544724
MD5:b78ba2b23d497cd1d6d083e650f3d0ef
SHA1:ac06a30deceef5f2a592fef6e1334d8bcf4e1f12
SHA256:3c8e3ba151c76fa1c6f48872213b7c8db78e4cd5260bbd13f428ae0bc1a70f3a
Tags:exe
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • INVOICE.exe (PID: 5140 cmdline: "C:\Users\user\Desktop\INVOICE.exe" MD5: B78BA2B23D497CD1D6D083E650F3D0EF)
    • neophobia.exe (PID: 3204 cmdline: "C:\Users\user\Desktop\INVOICE.exe" MD5: B78BA2B23D497CD1D6D083E650F3D0EF)
      • RegSvcs.exe (PID: 5144 cmdline: "C:\Users\user\Desktop\INVOICE.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6140 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • neophobia.exe (PID: 5176 cmdline: "C:\Users\user\AppData\Local\emboweling\neophobia.exe" MD5: B78BA2B23D497CD1D6D083E650F3D0EF)
      • RegSvcs.exe (PID: 3840 cmdline: "C:\Users\user\AppData\Local\emboweling\neophobia.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7844099330:AAF8QvgLCzWpfFABAfLjd1zx_8jhNhBnkCM", "Telegram Chatid": "6023628633"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3374825721.00000000034D5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.3375461228.0000000003311000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.RegSvcs.exe.2fa1a06.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              8.2.RegSvcs.exe.2fa1a06.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                8.2.RegSvcs.exe.2fa1a06.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  8.2.RegSvcs.exe.2fa1a06.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    8.2.RegSvcs.exe.2fa1a06.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x1a834:$a1: get_encryptedPassword
                    • 0x1a808:$a2: get_encryptedUsername
                    • 0x1a8cc:$a3: get_timePasswordChanged
                    • 0x1a7e4:$a4: get_passwordField
                    • 0x1a84a:$a5: set_encryptedPassword
                    • 0x1a617:$a7: get_logins
                    • 0x19b85:$a8: GetOutlookPasswords
                    • 0x19099:$a9: StartKeylogger
                    • 0x17af3:$a10: KeyLoggerEventArgs
                    • 0x17ac2:$a11: KeyLoggerEventArgsEventHandler
                    • 0x1a6eb:$a13: _encryptedPassword
                    Click to see the 91 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , ProcessId: 6140, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , ProcessId: 6140, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\emboweling\neophobia.exe, ProcessId: 3204, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-29T16:52:26.114881+010028032742Potentially Bad Traffic192.168.2.649781193.122.6.16880TCP
                    2024-10-29T16:53:05.583685+010028032742Potentially Bad Traffic192.168.2.649785193.122.6.16880TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7844099330:AAF8QvgLCzWpfFABAfLjd1zx_8jhNhBnkCM", "Telegram Chatid": "6023628633"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeReversingLabs: Detection: 26%
                    Multi AV Scanner detection for submitted file
                    Source: INVOICE.exeReversingLabs: Detection: 21%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: INVOICE.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: INVOICE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49782 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49787 version: TLS 1.0
                    Source: Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.3374523584.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h5_2_02CEDA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F037Dh5_2_065F0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F9910h5_2_065F9668
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F0EC2h5_2_065F0E18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F94B8h5_2_065F9210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F0EC2h5_2_065F0E10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F18E0h5_2_065F1638
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FECD0h5_2_065FEA28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F9D68h5_2_065F9AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F2190h5_2_065F1EE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F1D38h5_2_065F1A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FF128h5_2_065FEE80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F25E8h5_2_065F2340
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FA618h5_2_065FA370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FCA10h5_2_065FC768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FA1C0h5_2_065F9F18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FAA70h5_2_065FA7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FCE68h5_2_065FCBC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F2E98h5_2_065F2BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F2A40h5_2_065F2798
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FB320h5_2_065FB078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FD718h5_2_065FD470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FD2C0h5_2_065FD018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FAEC8h5_2_065FAC20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FB778h5_2_065FB4D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FDB70h5_2_065FD8C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FE420h5_2_065FE178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F8C08h5_2_065F8960
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FBBD0h5_2_065FB928
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FDFC8h5_2_065FDD20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FC482h5_2_065FC1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FE878h5_2_065FE5D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065FC028h5_2_065FBD80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065F9060h5_2_065F8DB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h8_2_03140EEC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2E878h8_2_05F2E5D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2C482h8_2_05F2C1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F29060h8_2_05F28DB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2C028h8_2_05F2BD80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2E420h8_2_05F2E178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2DFC8h8_2_05F2DD20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2BBD0h8_2_05F2B928
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2B778h8_2_05F2B4D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2DB70h8_2_05F2D8C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2D718h8_2_05F2D470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2B320h8_2_05F2B078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2037Dh8_2_05F20040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2AEC8h8_2_05F2AC20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2D2C0h8_2_05F2D018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F22E98h8_2_05F22BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F28C08h8_2_05F287E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2CE68h8_2_05F2CBC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2AA70h8_2_05F2A7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F22A40h8_2_05F22798
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2A618h8_2_05F2A370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2CA10h8_2_05F2C768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F225E8h8_2_05F22340
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2A1C0h8_2_05F29F18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F22190h8_2_05F21EE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F29D68h8_2_05F29AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F21D38h8_2_05F21A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2F128h8_2_05F2EE80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F29910h8_2_05F29668
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F218E0h8_2_05F21638
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F2ECD0h8_2_05F2EA28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F294B8h8_2_05F29210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F20EC2h8_2_05F20E10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05F20EC2h8_2_05F20E18
                    Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49781 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49785 -> 193.122.6.168:80
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49782 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49787 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375461228.0000000003230000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.00000000031B9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegSvcs.exe, 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.0000000003258000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72l
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: INVOICE.exe
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00408C605_2_00408C60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040DC115_2_0040DC11
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00407C3F5_2_00407C3F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00418CCC5_2_00418CCC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00406CA05_2_00406CA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004028B05_2_004028B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A4BE5_2_0041A4BE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004182445_2_00418244
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F205_2_00402F20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004193C45_2_004193C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004187885_2_00418788
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F895_2_00402F89
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402B905_2_00402B90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004073A05_2_004073A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02CE14485_2_02CE1448
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02CE14375_2_02CE1437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02CE11995_2_02CE1199
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02CE11A85_2_02CE11A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F06A05_2_065F06A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F30485_2_065F3048
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F00405_2_065F0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F5CD35_2_065F5CD3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F55685_2_065F5568
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F96595_2_065F9659
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FEE705_2_065FEE70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F96685_2_065F9668
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FEA195_2_065FEA19
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F92105_2_065F9210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F92005_2_065F9200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F16385_2_065F1638
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FEA285_2_065FEA28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F16285_2_065F1628
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F1EDB5_2_065F1EDB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F9AC05_2_065F9AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F1EE85_2_065F1EE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F1A905_2_065F1A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FEE805_2_065FEE80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F1A805_2_065F1A80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F9AB05_2_065F9AB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FC7585_2_065FC758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F23405_2_065F2340
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FA3705_2_065FA370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FC7685_2_065FC768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FA3605_2_065FA360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F9F185_2_065F9F18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F9F085_2_065F9F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F23335_2_065F2333
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F87D85_2_065F87D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FA7C85_2_065FA7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FCBC05_2_065FCBC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F2BF05_2_065F2BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F2BE05_2_065F2BE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F27985_2_065F2798
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F27895_2_065F2789
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FA7B85_2_065FA7B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FCBB15_2_065FCBB1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FB0785_2_065FB078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FD4705_2_065FD470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FB06A5_2_065FB06A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FD4615_2_065FD461
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FAC195_2_065FAC19
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FD0185_2_065FD018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FD0085_2_065FD008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F00065_2_065F0006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FAC205_2_065FAC20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FB4D05_2_065FB4D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FD8C85_2_065FD8C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FB4C05_2_065FB4C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FD8B95_2_065FD8B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FE1785_2_065FE178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FBD715_2_065FBD71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FE1695_2_065FE169
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F89605_2_065F8960
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FB9195_2_065FB919
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FDD105_2_065FDD10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FB9285_2_065FB928
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FDD205_2_065FDD20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FC1D85_2_065FC1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FE5D05_2_065FE5D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FC1C85_2_065FC1C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FE5C05_2_065FE5C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065FBD805_2_065FBD80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F8DB85_2_065F8DB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065F8DA85_2_065F8DA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004016508_2_00401650
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_031411998_2_03141199
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_031411A88_2_031411A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_031414378_2_03141437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_031414488_2_03141448
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F262C88_2_05F262C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2E5D08_2_05F2E5D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2C1D88_2_05F2C1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2E5C08_2_05F2E5C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2C1C88_2_05F2C1C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F28DB88_2_05F28DB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F28DA88_2_05F28DA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2BD808_2_05F2BD80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2BD718_2_05F2BD71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2E1788_2_05F2E178
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F255688_2_05F25568
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2E1698_2_05F2E169
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2DD208_2_05F2DD20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2B9288_2_05F2B928
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2DD108_2_05F2DD10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2B9198_2_05F2B919
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F25CE08_2_05F25CE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2B4D08_2_05F2B4D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2B4C08_2_05F2B4C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2D8C88_2_05F2D8C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2D8B98_2_05F2D8B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2D4708_2_05F2D470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2B0788_2_05F2B078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2D4618_2_05F2D461
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2B0688_2_05F2B068
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F200408_2_05F20040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F230488_2_05F23048
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2AC208_2_05F2AC20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2AC118_2_05F2AC11
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2D0188_2_05F2D018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F200068_2_05F20006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2D0088_2_05F2D008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F22BF08_2_05F22BF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F22BE08_2_05F22BE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F287E88_2_05F287E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2CBC08_2_05F2CBC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2A7C88_2_05F2A7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2CBB18_2_05F2CBB1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2A7B88_2_05F2A7B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F227988_2_05F22798
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F227898_2_05F22789
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2A3708_2_05F2A370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2A3608_2_05F2A360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2C7688_2_05F2C768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2C7588_2_05F2C758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F223408_2_05F22340
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F223328_2_05F22332
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F29F188_2_05F29F18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F29F088_2_05F29F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F21EE88_2_05F21EE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F21EDA8_2_05F21EDA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F29AC08_2_05F29AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F29AB08_2_05F29AB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F206A08_2_05F206A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F21A908_2_05F21A90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F206918_2_05F20691
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2EE808_2_05F2EE80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F21A808_2_05F21A80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2EE708_2_05F2EE70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F296688_2_05F29668
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F296598_2_05F29659
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F216388_2_05F21638
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2EA288_2_05F2EA28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F216288_2_05F21628
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F292108_2_05F29210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F2EA198_2_05F2EA19
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_05F292008_2_05F29200
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                    Source: INVOICE.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/3@2/2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004019F0 OleInitialize,CreateToolhelp32Snapshot,Module32First,CloseHandle,8_2_004019F0
                    Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\embowelingJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\Temp\mousmeJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"
                    Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000005.00000002.3375461228.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375461228.000000000329B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375461228.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375461228.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375461228.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.000000000438D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.000000000345F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.000000000347E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.000000000349E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.000000000346F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003492000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: INVOICE.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Users\user\Desktop\INVOICE.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe "C:\Users\user\Desktop\INVOICE.exe"
                    Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\Desktop\INVOICE.exe"
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe"
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe"
                    Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\Desktop\INVOICE.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: INVOICE.exeStatic file information: File size 1179107 > 1048576
                    Source: Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.3374523584.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402000 LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_00402000
                    Source: INVOICE.exeStatic PE information: real checksum: 0xa2135 should be: 0x123ac2
                    Source: neophobia.exe.0.drStatic PE information: real checksum: 0xa2135 should be: 0x123ac2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C40C push cs; iretd 5_2_0041C4E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C50E push cs; iretd 5_2_0041C4E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E21D push ecx; ret 5_2_0040E230
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C6BE push ebx; ret 5_2_0041C6BF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02CE5278 pushad ; ret 5_2_02CE527E
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'BT3WF8HZe4QGl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                    Source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'BT3WF8HZe4QGl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                    Source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'BT3WF8HZe4QGl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                    Source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'BT3WF8HZe4QGl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                    Source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'BT3WF8HZe4QGl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                    Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\emboweling\neophobia.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbsJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (8).png
                    Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTR
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeAPI/Special instruction interceptor: Address: 3DD103C
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeAPI/Special instruction interceptor: Address: 3DD3064
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599012Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598695Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598541Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596096Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595728Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1686Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8148Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 5.3 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599012Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598695Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598541Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596096Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595728Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: RegSvcs.exe, 00000005.00000002.3373005724.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                    Source: RegSvcs.exe, 00000008.00000002.3372951646.0000000001434000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end nodegraph_5-23731
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CE09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402000 LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_00402000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040ADB0 GetProcessHeap,HeapFree,5_2_0040ADB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CE09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040E61C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00416F6A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004123F1 SetUnhandledExceptionFilter,5_2_004123F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C42008Jump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 114D008Jump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\emboweling\neophobia.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe" Jump to behavior
                    Source: INVOICE.exe, neophobia.exe.0.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,5_2_00417A20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_00412A15
                    Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3374825721.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375461228.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa1a06.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060ee8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.433e390.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.2fa0b1e.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4315570.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.3060000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.4316458.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3840, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts11
                    Native API                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		212
                    Process Injection                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		1
                    File and Directory Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Registry Run Keys / Startup Folder                    		2
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager124
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS221
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets11
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials2
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544724 Sample: INVOICE.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 checkip.dyndns.org 2->32 34 checkip.dyndns.com 2->34 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->44 48 13 other signatures 2->48 8 INVOICE.exe 3 2->8         started        11 wscript.exe 1 2->11         started        signatures3 46 Tries to detect the country of the analysis system (by using the IP) 30->46 process4 file5 26 C:\Users\user\AppData\Local\...\neophobia.exe, PE32 8->26 dropped 14 neophobia.exe 1 8->14         started        54 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->54 18 neophobia.exe 11->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\neophobia.vbs, data 14->28 dropped 56 Multi AV Scanner detection for dropped file 14->56 58 Machine Learning detection for dropped file 14->58 60 Drops VBS files to the startup folder 14->60 62 Switches to a custom stack to bypass stack traces 14->62 20 RegSvcs.exe 15 2 14->20         started        64 Writes to foreign memory regions 18->64 66 Maps a DLL or memory area into another process 18->66 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 reallyfreegeoip.org 188.114.96.3, 443, 49782, 49786 CLOUDFLARENETUS European Union 20->36 38 checkip.dyndns.com 193.122.6.168, 49781, 49785, 80 ORACLE-BMC-31898US United States 20->38 50 Tries to steal Mail credentials (via file / registry access) 24->50 52 Tries to harvest and steal browser information (history, passwords, etc) 24->52 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    INVOICE.exe21%ReversingLabs
                    INVOICE.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\emboweling\neophobia.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\emboweling\neophobia.exe26%ReversingLabsWin32.Trojan.Generic

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://reallyfreegeoip.org0%URL Reputationsafe
                    http://checkip.dyndns.org0%URL Reputationsafe
                    http://checkip.dyndns.org/0%URL Reputationsafe
                    http://checkip.dyndns.com0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://checkip.dyndns.org/q0%URL Reputationsafe
                    http://reallyfreegeoip.org0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		188.114.96.3
                    		truetrue
                      		unknown
                      checkip.dyndns.com
                      		193.122.6.168
                      		truefalse
                        		unknown
                        checkip.dyndns.org
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/173.254.250.72false
                            		unknown
                            http://checkip.dyndns.org/false
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.orgRegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003418000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://checkip.dyndns.orgRegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375461228.0000000003230000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033F0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://reallyfreegeoip.org/xml/173.254.250.72lRegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://checkip.dyndns.comRegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000005.00000002.3375461228.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003379000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://checkip.dyndns.org/qRegSvcs.exe, 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://reallyfreegeoip.orgRegSvcs.exe, 00000005.00000002.3375461228.0000000003258000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.0000000003418000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000005.00000002.3375461228.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3374825721.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                193.122.6.168
                                		checkip.dyndns.comUnited States
                                		31898ORACLE-BMC-31898USfalse
                                188.114.96.3
                                		reallyfreegeoip.orgEuropean Union
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1544724
                                Start date and time:2024-10-29 16:50:39 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 25s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:INVOICE.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@10/3@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 95%
                                • Number of executed functions: 74
                                • Number of non-executed functions: 92
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: INVOICE.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:53:05API Interceptor260x Sleep call for process: RegSvcs.exe modified
                                16:52:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                193.122.6.168Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • checkip.dyndns.org/
                                z19UrgentOrder.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                • checkip.dyndns.org/
                                #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                • checkip.dyndns.org/
                                rFa24c148.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                • checkip.dyndns.org/
                                na.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                • checkip.dyndns.org/
                                na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • checkip.dyndns.org/
                                mnobizxv.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • checkip.dyndns.org/
                                Factura 1-014685.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                • checkip.dyndns.org/
                                QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                • checkip.dyndns.org/
                                EKSTRE_1022.exeGet hashmaliciousMassLogger RATBrowse
                                • checkip.dyndns.org/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                reallyfreegeoip.orgz59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                • 188.114.96.3
                                Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.97.3
                                PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.97.3
                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                • 188.114.96.3
                                rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 188.114.97.3
                                M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 188.114.97.3
                                Bill Of Lading.exeGet hashmaliciousMassLogger RATBrowse
                                • 188.114.97.3
                                Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 188.114.96.3
                                dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.97.3
                                z74fBF2ObiS1g87mbS.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.96.3
                                checkip.dyndns.comz59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                • 132.226.8.169
                                Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 158.101.44.242
                                PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 158.101.44.242
                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                • 132.226.247.73
                                rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 132.226.247.73
                                M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 158.101.44.242
                                Bill Of Lading.exeGet hashmaliciousMassLogger RATBrowse
                                • 132.226.247.73
                                Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 193.122.130.0
                                dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 132.226.247.73
                                z74fBF2ObiS1g87mbS.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 158.101.44.242

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ORACLE-BMC-31898USDocumentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 158.101.44.242
                                PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 158.101.44.242
                                M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 158.101.44.242
                                Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 193.122.130.0
                                z74fBF2ObiS1g87mbS.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 158.101.44.242
                                QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 158.101.44.242
                                z19UrgentOrder.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                • 193.122.6.168
                                la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                • 144.25.107.42
                                la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                • 130.61.64.122
                                splarm7.elfGet hashmaliciousUnknownBrowse
                                • 147.154.235.35
                                CLOUDFLARENETUSzmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                • 172.65.204.32
                                https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.brGet hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                zmap.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                • 172.65.204.32
                                zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                • 172.65.204.32
                                https://deedayoshayoatmetoback.me/whatever/toni/kross/hala/mbappe/sanchez/mark/tremble/awee/rgguuu/us/invite/Get hashmaliciousUnknownBrowse
                                • 188.114.96.3
                                0001.xlsGet hashmaliciousRemcosBrowse
                                • 104.21.74.191
                                installer.exeGet hashmaliciousUnknownBrowse
                                • 172.67.75.163
                                file.exeGet hashmaliciousLummaCBrowse
                                • 188.114.96.3
                                http://email.lndg.page/ls/click?upn=u001.IvLseMgsVhVvzUpwRiP-2FwDY1kjINp61fUuRWFtJrOlsR2xK9oB-2FfYMEmxXZADqvZYVpAGo4tqJabIsrfh5cAoQ-3D-3DBY5f_Z037rZRAjNnoLxuCNZalsWeL-2FuGvpRjfvafXSKPUadVelwBKNiVQ67EtFqVq-2F-2FAK6i6xZqeXhJzRqi8XomI4er4VLqx9iTYG7-2BCEAXYgFCl0PkJ3-2Fta3PunUyBaUajSXL-2F4RU8ivpOSEDeErwB8BZGzV2oyEJ1SK5v6Yp5gOMXaPWrDBmQyDNn3b-2FaOwkDESVUP2cfI7B8pfKWj4ZDcF0w-3D-3DGet hashmaliciousUnknownBrowse
                                • 188.114.96.3
                                installer.exeGet hashmaliciousUnknownBrowse
                                • 172.67.75.163

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                54328bd36c14bd82ddaa0c04b25ed9adz59IKE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                • 188.114.96.3
                                Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.96.3
                                PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.96.3
                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                • 188.114.96.3
                                https://docs.google.com/drawings/d/1OzqwiA1nI8GUoiKob_qJY5xL1HmGK6VrRXlYUDuD68w/preview?pli=1JXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlytjEsfyxX4slH6ZHg3eWCKKhJXThK7wTKLJQKP6wUqAFkc0vrlGet hashmaliciousMamba2FABrowse
                                • 188.114.96.3
                                rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 188.114.96.3
                                M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 188.114.96.3
                                Bill Of Lading.exeGet hashmaliciousMassLogger RATBrowse
                                • 188.114.96.3
                                dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.96.3
                                https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVeGet hashmaliciousHTMLPhisherBrowse
                                • 188.114.96.3

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\mousme

                                Download File
                                Process:C:\Users\user\Desktop\INVOICE.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):209408
                                Entropy (8bit):7.85035778716997
                                Encrypted:false
                                SSDEEP:3072:vNRWxHIOTYlmfFn+14kEdzuDP0GEugqpvzUAaV9tHXspkwvs3vTceEIz:7W9t9VkEuDP0dbqpvaV9tMkTEM
                                MD5:9A210D791CE485775958BBFA026CE625
                                SHA1:21193C5E0533ADE8E7F86DA9F0CDC39F38596B90
                                SHA-256:1464765A4EA6A4F4B785E05F20C8FED0EA15AFAB622D84986E1F0FE3A207EA01
                                SHA-512:76A2ED43FA6CFA1C53ADF9500B16BAE6246470C6FFD92471C275DA253FBF987E354D35102C950ADBACAAAF9068881B2A2C64A6E48BAC7D51ECC174962FDA46BC
                                Malicious:false
                                Reputation:low
                                Preview:~c.VVW2D65W5..PN.KVHFMVJ.46392VUW2D25W5PKPNLKVHFMVJD46392VUW.D25Y*.EP.E.w.G..k.\_@.B$:0@%_.4T>%?:l)3h488j-Z.wvav88V!.8Z?tKPNLKVH.].ghE.M.C.+{C.L.tJ.t!.2@..8f'.:.G.Gn'.).g\KKD.5bm%5.9.3di?J.B.L.<4ZhC.)5PKPNLKVHFMVJD46..UW2DbpW5.JTN8.V.FMVJD463.2uT\3M25.4PK.OLKVHFb.JD4&392.TW2Dr5W%PKPLLKSHFMVJD43392VUW2D.6W5TKP.wIVJFM.JD$63)2VUW"D2%W5PKPN\KVHFMVJD463.'TU.2D2577P.@OLKVHFMVJD46392VUW2D25W5PK..MKJHFMVJD46392VUW2D25W5PKPNLKV.KOV.D46392VUW2D2.V5.JPNLKVHFMVJD46392VUW2D25W5Pe$+4?VHFU.KD4&392.TW2@25W5PKPNLKVHFMvJDT.A]S"4W2._5W5.JPN"KVH.LVJD46392VUW2Dr5Wu~/1:-KVH.}VJD.439$VUW8F25W5PKPNLKVHF.VJ..D@KQVUW.T35WURKP\MKVhDMVJD46392VUW2.25.5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD46392VUW2D25W5PKPNLKVHFMVJD463

                                C:\Users\user\AppData\Local\emboweling\neophobia.exe

                                Download File
                                Process:C:\Users\user\Desktop\INVOICE.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1179107
                                Entropy (8bit):7.301469702909002
                                Encrypted:false
                                SSDEEP:24576:WfmMv6Ckr7Mny5QL1nqbbtVnQ4bcf/sv+4+QQ7ZH:W3v+7/5QL1nqDwf/EO
                                MD5:B78BA2B23D497CD1D6D083E650F3D0EF
                                SHA1:AC06A30DECEEF5F2A592FEF6E1334D8BCF4E1F12
                                SHA-256:3C8E3BA151C76FA1C6F48872213B7C8DB78E4CD5260BBD13F428AE0BC1A70F3A
                                SHA-512:41AB5ECF5E78EB4C1F8CF70E5C38EB109538BABB815EAABB61ED18CBB1E13E3B4703E92ADBC1A5E5BD0E712182A7E3C991BFD42C2E881F33D265B4ABDABB4929
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 26%
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@.................................5!........@.......@.....................<...T........6........................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc....6.......8...H..............@..@................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

                                Download File
                                Process:C:\Users\user\AppData\Local\emboweling\neophobia.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):286
                                Entropy (8bit):3.4004154784806593
                                Encrypted:false
                                SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1AlflYeZmLnriIM8lfQVn:DsO+vNlDQ1AlflYeYzmA2n
                                MD5:1F25098E5005E42FB0558196CE447908
                                SHA1:5121DB1E4132C123A01D089F2AB2F164EFE075F1
                                SHA-256:98432EB860099A969324C7552F90C5476D76463B0FD86A179BF041A01D8992FF
                                SHA-512:27DA8799F847CF518FA8157DECADE20D1DFED79993A2BE066D3EF5934FB0B090EC4B9BF1452214D3412C4918D696B25C447F8876BB6A2A28803593AAE49D1AE8
                                Malicious:true
                                Reputation:low
                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.e.m.b.o.w.e.l.i.n.g.\.n.e.o.p.h.o.b.i.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.301469702909002
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 95.11%
                                • AutoIt3 compiled script executable (510682/80) 4.86%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:INVOICE.exe
                                File size:1'179'107 bytes
                                MD5:b78ba2b23d497cd1d6d083e650f3d0ef
                                SHA1:ac06a30deceef5f2a592fef6e1334d8bcf4e1f12
                                SHA256:3c8e3ba151c76fa1c6f48872213b7c8db78e4cd5260bbd13f428ae0bc1a70f3a
                                SHA512:41ab5ecf5e78eb4c1f8cf70e5c38eb109538babb815eaabb61ed18cbb1e13e3b4703e92adbc1a5e5bd0e712182a7e3c991bfd42c2e881f33d265b4abdabb4929
                                SSDEEP:24576:WfmMv6Ckr7Mny5QL1nqbbtVnQ4bcf/sv+4+QQ7ZH:W3v+7/5QL1nqDwf/EO
                                TLSH:EB45B022B2E640F6E9923D711D26E316BF766D194622848FD7A03AF14E33340D7267F6
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                File Icon

                                Icon Hash:cf818c848c8a814f

                                Static PE Info

                                General

                                Entrypoint:0x416310
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                Entrypoint Preview

                                Instruction
                                call 00007F611CDD354Ch
                                jmp 00007F611CDC731Eh
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                push ebp
                                mov ebp, esp
                                push edi
                                push esi
                                mov esi, dword ptr [ebp+0Ch]
                                mov ecx, dword ptr [ebp+10h]
                                mov edi, dword ptr [ebp+08h]
                                mov eax, ecx
                                mov edx, ecx
                                add eax, esi
                                cmp edi, esi
                                jbe 00007F611CDC74AAh
                                cmp edi, eax
                                jc 00007F611CDC764Ah
                                cmp ecx, 00000100h
                                jc 00007F611CDC74C1h
                                cmp dword ptr [004A94E0h], 00000000h
                                je 00007F611CDC74B8h
                                push edi
                                push esi
                                and edi, 0Fh
                                and esi, 0Fh
                                cmp edi, esi
                                pop esi
                                pop edi
                                jne 00007F611CDC74AAh
                                pop esi
                                pop edi
                                pop ebp
                                jmp 00007F611CDC790Ah
                                test edi, 00000003h
                                jne 00007F611CDC74B7h
                                shr ecx, 02h
                                and edx, 03h
                                cmp ecx, 08h
                                jc 00007F611CDC74CCh
                                rep movsd
                                jmp dword ptr [00416494h+edx*4]
                                nop
                                mov eax, edi
                                mov edx, 00000003h
                                sub ecx, 04h
                                jc 00007F611CDC74AEh
                                and eax, 03h
                                add ecx, eax
                                jmp dword ptr [004163A8h+eax*4]
                                jmp dword ptr [004164A4h+ecx*4]
                                nop
                                jmp dword ptr [00416428h+ecx*4]
                                nop
                                mov eax, E4004163h
                                arpl word ptr [ecx+00h], ax
                                or byte ptr [ecx+eax*2+00h], ah
                                and edx, ecx
                                mov al, byte ptr [esi]
                                mov byte ptr [edi], al
                                mov al, byte ptr [esi+01h]
                                mov byte ptr [edi+01h], al
                                mov al, byte ptr [esi+02h]
                                shr ecx, 02h
                                mov byte ptr [edi+02h], al
                                add esi, 03h
                                add edi, 03h
                                cmp ecx, 08h
                                jc 00007F611CDC746Eh

                                Rich Headers

                                Programming Language:
                                • [ASM] VS2008 SP1 build 30729
                                • [ C ] VS2008 SP1 build 30729
                                • [C++] VS2008 SP1 build 30729
                                • [ C ] VS2005 build 50727
                                • [IMP] VS2005 build 50727
                                • [ASM] VS2008 build 21022
                                • [RES] VS2008 build 21022
                                • [LNK] VS2008 SP1 build 30729

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x136e8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xab0000x136e80x1380025f5ac98668909564a535af77849da6eFalse0.08760266426282051data3.8826931644611715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xab4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                RT_ICON0xab5700x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                RT_ICON0xab6980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                RT_ICON0xab7c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.05220040222406246
                                RT_MENU0xbbfe80x50dataEnglishGreat Britain0.9
                                RT_DIALOG0xbc0380xfcdataEnglishGreat Britain0.6507936507936508
                                RT_STRING0xbc1380x530dataEnglishGreat Britain0.33960843373493976
                                RT_STRING0xbc6680x690dataEnglishGreat Britain0.26964285714285713
                                RT_STRING0xbccf80x43adataEnglishGreat Britain0.3733826247689464
                                RT_STRING0xbd1380x5fcdataEnglishGreat Britain0.3087467362924282
                                RT_STRING0xbd7380x65cdataEnglishGreat Britain0.34336609336609336
                                RT_STRING0xbdd980x388dataEnglishGreat Britain0.377212389380531
                                RT_STRING0xbe1200x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                RT_GROUP_ICON0xbe2780x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xbe2900x14dataEnglishGreat Britain1.15
                                RT_GROUP_ICON0xbe2a80x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xbe2c00x14dataEnglishGreat Britain1.25
                                RT_VERSION0xbe2d80x19cdataEnglishGreat Britain0.5339805825242718
                                RT_MANIFEST0xbe4780x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                Imports

                                DLLImport
                                WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishGreat Britain
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-29T16:52:26.114881+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649781193.122.6.16880TCP
                                2024-10-29T16:53:05.583685+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649785193.122.6.16880TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 29, 2024 16:52:24.905019999 CET4978180192.168.2.6193.122.6.168
                                Oct 29, 2024 16:52:24.910429955 CET8049781193.122.6.168192.168.2.6
                                Oct 29, 2024 16:52:24.910527945 CET4978180192.168.2.6193.122.6.168
                                Oct 29, 2024 16:52:24.910814047 CET4978180192.168.2.6193.122.6.168
                                Oct 29, 2024 16:52:24.918322086 CET8049781193.122.6.168192.168.2.6
                                Oct 29, 2024 16:52:25.786905050 CET8049781193.122.6.168192.168.2.6
                                Oct 29, 2024 16:52:25.815356970 CET4978180192.168.2.6193.122.6.168
                                Oct 29, 2024 16:52:25.820895910 CET8049781193.122.6.168192.168.2.6
                                Oct 29, 2024 16:52:26.071583033 CET8049781193.122.6.168192.168.2.6
                                Oct 29, 2024 16:52:26.081787109 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.081814051 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.081901073 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.090439081 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.090452909 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.114881039 CET4978180192.168.2.6193.122.6.168
                                Oct 29, 2024 16:52:26.712096930 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.712217093 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.714881897 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.714912891 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.715262890 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.755502939 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.765580893 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.811336040 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.917001963 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.917071104 CET44349782188.114.96.3192.168.2.6
                                Oct 29, 2024 16:52:26.917191029 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:52:26.923578024 CET49782443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:04.410135031 CET4978580192.168.2.6193.122.6.168
                                Oct 29, 2024 16:53:04.415731907 CET8049785193.122.6.168192.168.2.6
                                Oct 29, 2024 16:53:04.415810108 CET4978580192.168.2.6193.122.6.168
                                Oct 29, 2024 16:53:04.416147947 CET4978580192.168.2.6193.122.6.168
                                Oct 29, 2024 16:53:04.421725035 CET8049785193.122.6.168192.168.2.6
                                Oct 29, 2024 16:53:05.266864061 CET8049785193.122.6.168192.168.2.6
                                Oct 29, 2024 16:53:05.274106979 CET4978580192.168.2.6193.122.6.168
                                Oct 29, 2024 16:53:05.279448986 CET8049785193.122.6.168192.168.2.6
                                Oct 29, 2024 16:53:05.536451101 CET8049785193.122.6.168192.168.2.6
                                Oct 29, 2024 16:53:05.538834095 CET49786443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.538855076 CET44349786188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:05.538928986 CET49786443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.544814110 CET49786443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.544830084 CET44349786188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:05.568109989 CET44349786188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:05.568171024 CET49786443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.583684921 CET4978580192.168.2.6193.122.6.168
                                Oct 29, 2024 16:53:05.591671944 CET49786443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.591691971 CET44349786188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:05.593944073 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.593985081 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:05.594075918 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.594585896 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:05.594600916 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:06.208853006 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:06.208961964 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:06.213879108 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:06.213890076 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:06.214356899 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:06.255580902 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:06.276177883 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:06.323323965 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:06.434443951 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:06.434511900 CET44349787188.114.96.3192.168.2.6
                                Oct 29, 2024 16:53:06.434561014 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:06.435332060 CET49787443192.168.2.6188.114.96.3
                                Oct 29, 2024 16:53:31.214400053 CET8049781193.122.6.168192.168.2.6
                                Oct 29, 2024 16:53:31.214554071 CET4978180192.168.2.6193.122.6.168

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 29, 2024 16:52:24.891514063 CET5163853192.168.2.61.1.1.1
                                Oct 29, 2024 16:52:24.899878979 CET53516381.1.1.1192.168.2.6
                                Oct 29, 2024 16:52:26.073347092 CET5225153192.168.2.61.1.1.1
                                Oct 29, 2024 16:52:26.081175089 CET53522511.1.1.1192.168.2.6

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 29, 2024 16:52:24.891514063 CET192.168.2.61.1.1.10xab9Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                Oct 29, 2024 16:52:26.073347092 CET192.168.2.61.1.1.10x16b8Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 29, 2024 16:52:24.899878979 CET1.1.1.1192.168.2.60xab9No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                Oct 29, 2024 16:52:24.899878979 CET1.1.1.1192.168.2.60xab9No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                Oct 29, 2024 16:52:24.899878979 CET1.1.1.1192.168.2.60xab9No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                Oct 29, 2024 16:52:24.899878979 CET1.1.1.1192.168.2.60xab9No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                Oct 29, 2024 16:52:24.899878979 CET1.1.1.1192.168.2.60xab9No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                Oct 29, 2024 16:52:24.899878979 CET1.1.1.1192.168.2.60xab9No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                Oct 29, 2024 16:52:26.081175089 CET1.1.1.1192.168.2.60x16b8No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                Oct 29, 2024 16:52:26.081175089 CET1.1.1.1192.168.2.60x16b8No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • reallyfreegeoip.org
                                • checkip.dyndns.org

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649781193.122.6.168805144C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampBytes transferredDirectionData
                                Oct 29, 2024 16:52:24.910814047 CET151OUTGET / HTTP/1.1
                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                Host: checkip.dyndns.org
                                Connection: Keep-Alive
                                Oct 29, 2024 16:52:25.786905050 CET323INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 15:52:25 GMT
                                Content-Type: text/html
                                Content-Length: 106
                                Connection: keep-alive
                                Cache-Control: no-cache
                                Pragma: no-cache
                                X-Request-ID: cdc926b7ade02bfe3922783b3009e87e
                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
                                Oct 29, 2024 16:52:25.815356970 CET127OUTGET / HTTP/1.1
                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                Host: checkip.dyndns.org
                                Oct 29, 2024 16:52:26.071583033 CET323INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 15:52:25 GMT
                                Content-Type: text/html
                                Content-Length: 106
                                Connection: keep-alive
                                Cache-Control: no-cache
                                Pragma: no-cache
                                X-Request-ID: 79cd6736776f27e6acc1b60b26c3c34e
                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.649785193.122.6.168803840C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampBytes transferredDirectionData
                                Oct 29, 2024 16:53:04.416147947 CET151OUTGET / HTTP/1.1
                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                Host: checkip.dyndns.org
                                Connection: Keep-Alive
                                Oct 29, 2024 16:53:05.266864061 CET323INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 15:53:05 GMT
                                Content-Type: text/html
                                Content-Length: 106
                                Connection: keep-alive
                                Cache-Control: no-cache
                                Pragma: no-cache
                                X-Request-ID: e3caffc210de4d6055b48142cbab5460
                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
                                Oct 29, 2024 16:53:05.274106979 CET127OUTGET / HTTP/1.1
                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                Host: checkip.dyndns.org
                                Oct 29, 2024 16:53:05.536451101 CET323INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 15:53:05 GMT
                                Content-Type: text/html
                                Content-Length: 106
                                Connection: keep-alive
                                Cache-Control: no-cache
                                Pragma: no-cache
                                X-Request-ID: 69c21a41b6be31388a80b39f9868966e
                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649782188.114.96.34435144C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampBytes transferredDirectionData
                                2024-10-29 15:52:26 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                Host: reallyfreegeoip.org
                                Connection: Keep-Alive
                                2024-10-29 15:52:26 UTC885INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 15:52:26 GMT
                                Content-Type: text/xml
                                Content-Length: 359
                                Connection: close
                                apigw-requestid: AZ6gpggEPHcESXQ=
                                Cache-Control: max-age=31536000
                                CF-Cache-Status: HIT
                                Age: 24656
                                Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                Accept-Ranges: bytes
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DSlAIIRLZwZxleEKrspZYBVGvZciKbsAmCZREnNZVfg9VyOu%2BOGnas1yZYRcUHFOWg3TKj4TtDn%2BoV4YRiiANvWTBE9mXmTSbXEUMiaq6g4NfGg7J9do%2B36ptduZgBWSm9kPvP2l"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 8da4552fbd181442-DFW
                                alt-svc: h3=":443"; ma=86400
                                server-timing: cfL4;desc="?proto=TCP&rtt=1110&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2167664&cwnd=251&unsent_bytes=0&cid=591cec375edc14cb&ts=215&x=0"
                                2024-10-29 15:52:26 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.649787188.114.96.34433840C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                TimestampBytes transferredDirectionData
                                2024-10-29 15:53:06 UTC87OUTGET /xml/173.254.250.72 HTTP/1.1
                                Host: reallyfreegeoip.org
                                Connection: Keep-Alive
                                2024-10-29 15:53:06 UTC879INHTTP/1.1 200 OK
                                Date: Tue, 29 Oct 2024 15:53:06 GMT
                                Content-Type: text/xml
                                Content-Length: 359
                                Connection: close
                                apigw-requestid: AZ6gpggEPHcESXQ=
                                Cache-Control: max-age=31536000
                                CF-Cache-Status: HIT
                                Age: 24696
                                Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT
                                Accept-Ranges: bytes
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DYqNujESAKtjKwoFsFdCRwJPZSjCYDT1otWL7XLlP0saNJ4Xq5b7dhHv7OvdkrZoNLfxFjD6RtTvuP9nexkpAAW6QsKY9VkMx0ZWeHnaHXRgK1toJbcR6gTLe7MiMS2L538z4lVf"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 8da456269d112e77-DFW
                                alt-svc: h3=":443"; ma=86400
                                server-timing: cfL4;desc="?proto=TCP&rtt=1155&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2456318&cwnd=251&unsent_bytes=0&cid=107b0fd10c4f084a&ts=237&x=0"
                                2024-10-29 15:53:06 UTC359INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e
                                Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:11:51:31
                                Start date:29/10/2024
                                Path:C:\Users\user\Desktop\INVOICE.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\INVOICE.exe"
                                Imagebase:0x400000
                                File size:1'179'107 bytes
                                MD5 hash:B78BA2B23D497CD1D6D083E650F3D0EF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:11:51:57
                                Start date:29/10/2024
                                Path:C:\Users\user\AppData\Local\emboweling\neophobia.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\INVOICE.exe"
                                Imagebase:0x400000
                                File size:1'179'107 bytes
                                MD5 hash:B78BA2B23D497CD1D6D083E650F3D0EF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 26%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:5
                                Start time:11:52:23
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\INVOICE.exe"
                                Imagebase:0xb80000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3375461228.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.3375309943.00000000030E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.3374804433.0000000003060000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:6
                                Start time:11:52:35
                                Start date:29/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"
                                Imagebase:0x7ff6c53f0000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:11:52:36
                                Start date:29/10/2024
                                Path:C:\Users\user\AppData\Local\emboweling\neophobia.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\emboweling\neophobia.exe"
                                Imagebase:0x400000
                                File size:1'179'107 bytes
                                MD5 hash:B78BA2B23D497CD1D6D083E650F3D0EF
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:8
                                Start time:11:53:03
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\emboweling\neophobia.exe"
                                Imagebase:0xf20000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3374825721.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.3377424880.0000000004311000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.3373498824.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:5.5%
                                  Dynamic/Decrypted Code Coverage:8.8%
                                  Signature Coverage:19.8%
                                  Total number of Nodes:91
                                  Total number of Limit Nodes:4
                                  execution_graph 23664 402000 23665 4020aa LoadLibraryA 23664->23665 23666 40216c GetProcAddress 23665->23666 23669 402467 23666->23669 23670 4021aa 23666->23670 23667 40242e 23667->23669 23686 40b6b5 62 API calls 2 library calls 23667->23686 23670->23667 23670->23669 23671 402269 VariantInit 23670->23671 23672 40228b VariantInit 23671->23672 23673 4022a7 23672->23673 23674 4022d9 SafeArrayCreate SafeArrayAccessData 23673->23674 23684 40b350 23674->23684 23677 40232c 23678 402354 SafeArrayDestroy 23677->23678 23683 40235b 23677->23683 23678->23683 23679 402392 SafeArrayCreateVector 23680 4023a4 23679->23680 23681 402403 VariantClear 23680->23681 23682 40241c VariantClear 23681->23682 23682->23667 23683->23679 23685 40231a SafeArrayUnaccessData 23684->23685 23685->23677 23686->23669 23687 2ceeb48 23689 2ceeb6f 23687->23689 23691 2ceec60 23689->23691 23692 2ceeca9 VirtualProtect 23691->23692 23694 2ceec3e 23692->23694 23695 40af66 23697 40af70 23695->23697 23698 40af8a 23697->23698 23700 40af8c std::bad_alloc::bad_alloc 23697->23700 23707 40b84d 23697->23707 23725 40d2e3 6 API calls __decode_pointer 23697->23725 23705 40afb2 23700->23705 23726 40d2bd 73 API calls __cinit 23700->23726 23702 40afbc 23728 40cd39 RaiseException 23702->23728 23727 40af49 62 API calls std::exception::exception 23705->23727 23706 40afca 23708 40b900 23707->23708 23718 40b85f 23707->23718 23736 40d2e3 6 API calls __decode_pointer 23708->23736 23710 40b906 23737 40bfc1 62 API calls __getptd_noexit 23710->23737 23715 40b8bc RtlAllocateHeap 23715->23718 23716 40b870 23716->23718 23729 40ec4d 62 API calls 2 library calls 23716->23729 23730 40eaa2 62 API calls 7 library calls 23716->23730 23731 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 23716->23731 23718->23715 23718->23716 23719 40b8ec 23718->23719 23722 40b8f1 23718->23722 23724 40b8f8 23718->23724 23732 40b7fe 62 API calls 4 library calls 23718->23732 23733 40d2e3 6 API calls __decode_pointer 23718->23733 23734 40bfc1 62 API calls __getptd_noexit 23719->23734 23735 40bfc1 62 API calls __getptd_noexit 23722->23735 23724->23697 23725->23697 23726->23705 23727->23702 23728->23706 23729->23716 23730->23716 23732->23718 23733->23718 23734->23722 23735->23724 23736->23710 23737->23724 23738 40cbdd 23739 40cbe9 __initptd 23738->23739 23772 40d534 HeapCreate 23739->23772 23742 40cc46 23775 41087e 71 API calls 8 library calls 23742->23775 23743 40cc3f 23774 40cbb4 62 API calls 3 library calls 23743->23774 23746 40cc4c 23747 40cc57 __RTC_Initialize 23746->23747 23776 40cbb4 62 API calls 3 library calls 23746->23776 23777 411a15 67 API calls 3 library calls 23747->23777 23750 40cc66 23751 40cc72 GetCommandLineA 23750->23751 23778 40e79a 62 API calls 3 library calls 23750->23778 23779 412892 71 API calls 3 library calls 23751->23779 23754 40cc71 23754->23751 23755 40cc82 23780 4127d7 107 API calls 3 library calls 23755->23780 23757 40cc8c 23758 40cc97 23757->23758 23781 40e79a 62 API calls 3 library calls 23757->23781 23782 41255f 106 API calls 6 library calls 23758->23782 23761 40cc9d 23762 40cca8 23761->23762 23783 40e79a 62 API calls 3 library calls 23761->23783 23784 40e859 73 API calls 5 library calls 23762->23784 23765 40ccb0 23766 40ccbb 23765->23766 23785 40e79a 62 API calls 3 library calls 23765->23785 23768 40ccea 23766->23768 23786 40ea0a 62 API calls _doexit 23766->23786 23787 40ea36 62 API calls _doexit 23768->23787 23771 40ccef __initptd 23773 40cc3a 23772->23773 23773->23742 23773->23743 23774->23742 23775->23746 23776->23747 23777->23750 23778->23754 23779->23755 23780->23757 23781->23758 23782->23761 23783->23762 23784->23765 23785->23766 23786->23768 23787->23771 23788 2ceef30 23789 2ceef74 CloseHandle 23788->23789 23791 2ceefc0 23789->23791

                                  Executed Functions

                                  Function 00402000 Relevance: 65.1, APIs: 11, Strings: 26, Instructions: 327libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryA.KERNELBASE(00000000), ref: 004020AE
                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00402171
                                  • VariantInit.OLEAUT32(?), ref: 0040227B
                                  • VariantInit.OLEAUT32(?), ref: 00402293
                                  • SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 004022F6
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00402308
                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 0040231E
                                  • SafeArrayDestroy.OLEAUT32(00000000), ref: 00402355
                                  • SafeArrayCreateVector.OLEAUT32(0000000C), ref: 00402396
                                  • VariantClear.OLEAUT32(?), ref: 00402411
                                  • VariantClear.OLEAUT32(?), ref: 00402424
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Variant$ClearCreateDataInit$AccessAddressDestroyLibraryLoadProcUnaccessVector
                                  • String ID: !$!$%$'$)$*$.$4$4$5$6$U$V$W$W$[$_._$___$o$o$v$v$x$x${${
                                  • API String ID: 2727121306-2859280241
                                  • Opcode ID: 6d6e1572091d4ee57d85047efd5f3480165809f5cb74188ba8f05afc3572150d
                                  • Instruction ID: b28e78a03fce0db95d5d03cd049d8363377ded952c0376b19ae452cca9c95383
                                  • Opcode Fuzzy Hash: 6d6e1572091d4ee57d85047efd5f3480165809f5cb74188ba8f05afc3572150d
                                  • Instruction Fuzzy Hash: 0CD17B3110C3C19EC321DB688888A4FBBE5AF96314F484A5DF5D49B2E1C7B9D909C767
                                  Function 065F3048 Relevance: .7, Instructions: 745COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 329 65f3048-65f3068 330 65f306f-65f30e8 329->330 331 65f306a 329->331 335 65f30ea-65f3131 330->335 336 65f3136-65f3189 330->336 331->330 344 65f31d1-65f3285 335->344 343 65f318b-65f31d0 336->343 336->344 343->344 493 65f328b call 65f439e 344->493 494 65f328b call 65f4378 344->494 354 65f3291-65f32b7 356 65f32bd-65f33c0 354->356 357 65f3e78-65f3ead 354->357 367 65f3e6b-65f3e71 356->367 368 65f3e77 367->368 369 65f33c5-65f34a3 367->369 368->357 377 65f34aa-65f3513 369->377 378 65f34a5 369->378 382 65f351a-65f352b 377->382 383 65f3515 377->383 378->377 384 65f35b8-65f36bf 382->384 385 65f3531-65f353b 382->385 383->382 403 65f36c6-65f372f 384->403 404 65f36c1 384->404 386 65f353d 385->386 387 65f3542-65f35b7 385->387 386->387 387->384 408 65f3736-65f3747 403->408 409 65f3731 403->409 404->403 410 65f374d-65f3757 408->410 411 65f37d4-65f3988 408->411 409->408 412 65f375e-65f37d3 410->412 413 65f3759 410->413 432 65f398f-65f3a0d 411->432 433 65f398a 411->433 412->411 413->412 437 65f3a0f 432->437 438 65f3a14-65f3a25 432->438 433->432 437->438 439 65f3a2b-65f3a35 438->439 440 65f3ab2-65f3b4b 438->440 441 65f3a3c-65f3ab1 439->441 442 65f3a37 439->442 450 65f3b4d 440->450 451 65f3b52-65f3bca 440->451 441->440 442->441 450->451 458 65f3bcc 451->458 459 65f3bd1-65f3be2 451->459 458->459 460 65f3be8-65f3c7c 459->460 461 65f3cd0-65f3d64 call 65f1598 * 2 459->461 478 65f3c7e 460->478 479 65f3c83-65f3ccf 460->479 472 65f3d6a-65f3e55 461->472 473 65f3e56-65f3e61 461->473 472->473 474 65f3e68 473->474 475 65f3e63 473->475 474->367 475->474 478->479 479->461 493->354 494->354
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52dff68bfc27e784fbaa44013ad34ff21977c1f0740f33ba1d3bc1bd675d78df
                                  • Instruction ID: c23a4a2bc47cba582b0ae799459f1b59a6fbddc213153b1e4ff76b3a34821b40
                                  • Opcode Fuzzy Hash: 52dff68bfc27e784fbaa44013ad34ff21977c1f0740f33ba1d3bc1bd675d78df
                                  • Instruction Fuzzy Hash: FA826D74E01268DFEBA4DF69D994BDDBBB2BB89300F1081EA950DA7251DB705E81CF40
                                  Function 065F5568 Relevance: .6, Instructions: 562COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 495 65f5568-65f559e 496 65f5b75-65f5bc8 call 65f5cd3 495->496 497 65f55a4-65f55b2 495->497 504 65f5bce-65f5bd4 496->504 500 65f55b4-65f55c5 497->500 501 65f55e0-65f55f1 497->501 500->501 519 65f55c7-65f55d3 500->519 502 65f55f3-65f55f7 501->502 503 65f5662-65f5676 501->503 505 65f55f9-65f5605 502->505 506 65f5612-65f561b 502->506 639 65f5679 call 65f555c 503->639 640 65f5679 call 65f5568 503->640 641 65f5679 call 65f5b80 503->641 507 65f5bd6-65f5bda 504->507 508 65f5c24-65f5c28 504->508 513 65f599f-65f59ea 505->513 514 65f560b-65f560d 505->514 515 65f5621-65f5624 506->515 516 65f5930 506->516 517 65f5bdc-65f5be1 507->517 518 65f5be9-65f5bf0 507->518 511 65f5c3f-65f5c53 508->511 512 65f5c2a-65f5c39 508->512 510 65f567f-65f5685 520 65f568e-65f5695 510->520 521 65f5687-65f5689 510->521 530 65f5c5b-65f5c62 511->530 522 65f5c3b-65f5c3d 512->522 523 65f5c65-65f5c6f 512->523 592 65f59f1-65f5a70 513->592 524 65f5926-65f592d 514->524 515->516 525 65f562a-65f5649 515->525 529 65f5935-65f5998 516->529 517->518 526 65f5cc6-65f5cd1 518->526 527 65f5bf6-65f5bfd 518->527 528 65f55d9-65f55db 519->528 519->529 534 65f569b-65f56aa call 65f684b 520->534 535 65f5789-65f579a 520->535 521->524 522->530 531 65f5c79-65f5c7d 523->531 532 65f5c71-65f5c77 523->532 525->516 554 65f564f-65f5655 525->554 527->508 536 65f5bff-65f5c03 527->536 528->524 529->513 538 65f5c85-65f5cbf 531->538 540 65f5c7f 531->540 532->538 547 65f56b0-65f56b2 534->547 552 65f579c-65f57a9 535->552 553 65f57c4-65f57ca 535->553 542 65f5c05-65f5c0a 536->542 543 65f5c12-65f5c19 536->543 538->526 540->538 542->543 543->526 544 65f5c1f-65f5c22 543->544 544->530 547->535 548 65f56b8-65f56c4 547->548 558 65f56ca-65f573c 548->558 559 65f5782-65f5784 548->559 557 65f57e5-65f57eb 552->557 569 65f57ab-65f57b7 552->569 556 65f57cc-65f57d8 553->556 553->557 554->496 565 65f565b-65f565f 554->565 560 65f57de-65f57e0 556->560 561 65f5a87-65f5aea 556->561 562 65f5923 557->562 563 65f57f1-65f580e 557->563 593 65f573e-65f5768 558->593 594 65f576a-65f577f 558->594 559->524 560->524 618 65f5af1-65f5b70 561->618 562->524 563->516 585 65f5814-65f5817 563->585 565->503 572 65f57bd-65f57bf 569->572 573 65f5a75-65f5a80 569->573 572->524 573->561 585->496 590 65f581d-65f5843 585->590 590->562 600 65f5849-65f5855 590->600 593->594 594->559 601 65f591f-65f5921 600->601 602 65f585b-65f58d9 600->602 601->524 620 65f58db-65f5905 602->620 621 65f5907-65f591c 602->621 620->621 621->601 639->510 640->510 641->510
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58fb9a7528650eed155b93d966af58b2f6e1f86cd4d12d74309ac085b053a69e
                                  • Instruction ID: c0f0fa28541ae257c6f8167988cd93259b35a65998a8077357634fbfcf327e3d
                                  • Opcode Fuzzy Hash: 58fb9a7528650eed155b93d966af58b2f6e1f86cd4d12d74309ac085b053a69e
                                  • Instruction Fuzzy Hash: AA229C70A102099FDB54DFA9C954AAEBBF6BF88340F148569E906DB391EF309D41CF90
                                  Function 065F5CD3 Relevance: .3, Instructions: 333COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 783 65f5cd3-65f5d03 784 65f5d0e-65f5d2e 783->784 785 65f5d05-65f5d0b 783->785 788 65f5d35-65f5d3c 784->788 789 65f5d30 784->789 785->784 791 65f5d3e-65f5d49 788->791 790 65f60c4-65f60cd 789->790 792 65f5d4f-65f5d62 791->792 793 65f60d5-65f60e3 791->793 796 65f5d78-65f5d93 792->796 797 65f5d64-65f5d72 792->797 801 65f5db7-65f5dba 796->801 802 65f5d95-65f5d9b 796->802 797->796 800 65f604c-65f6053 797->800 800->790 803 65f6055-65f6057 800->803 804 65f5f14-65f5f1a 801->804 805 65f5dc0-65f5dc3 801->805 806 65f5d9d 802->806 807 65f5da4-65f5da7 802->807 810 65f6059-65f605e 803->810 811 65f6066-65f606c 803->811 809 65f6006-65f6009 804->809 813 65f5f20-65f5f25 804->813 805->804 814 65f5dc9-65f5dcf 805->814 806->804 806->807 808 65f5dda-65f5de0 806->808 806->809 807->808 812 65f5da9-65f5dac 807->812 819 65f5de6-65f5de8 808->819 820 65f5de2-65f5de4 808->820 821 65f600f-65f6015 809->821 822 65f60d0 809->822 810->811 811->793 817 65f606e-65f6073 811->817 815 65f5e46-65f5e4c 812->815 816 65f5db2 812->816 813->809 814->804 818 65f5dd5 814->818 815->809 825 65f5e52-65f5e58 815->825 816->809 823 65f60b8-65f60bb 817->823 824 65f6075-65f607a 817->824 818->809 826 65f5df2-65f5dfb 819->826 820->826 827 65f603a-65f603e 821->827 828 65f6017-65f601f 821->828 822->793 823->822 829 65f60bd-65f60c2 823->829 824->822 830 65f607c 824->830 831 65f5e5e-65f5e60 825->831 832 65f5e5a-65f5e5c 825->832 834 65f5e0e-65f5e36 826->834 835 65f5dfd-65f5e08 826->835 827->800 836 65f6040-65f6046 827->836 828->793 833 65f6025-65f6034 828->833 829->790 829->803 837 65f6083-65f6088 830->837 838 65f5e6a-65f5e81 831->838 832->838 833->796 833->827 856 65f5e3c-65f5e41 834->856 857 65f5f2a-65f5f60 834->857 835->809 835->834 836->791 836->800 840 65f60aa-65f60ac 837->840 841 65f608a-65f608c 837->841 850 65f5eac-65f5ed3 838->850 851 65f5e83-65f5e9c 838->851 840->822 847 65f60ae-65f60b1 840->847 844 65f608e-65f6093 841->844 845 65f609b-65f60a1 841->845 844->845 845->793 849 65f60a3-65f60a8 845->849 847->823 849->840 852 65f607e-65f6081 849->852 850->822 862 65f5ed9-65f5edc 850->862 851->857 860 65f5ea2-65f5ea7 851->860 852->822 852->837 856->857 863 65f5f6d-65f5f75 857->863 864 65f5f62-65f5f66 857->864 860->857 862->822 865 65f5ee2-65f5f0b 862->865 863->822 868 65f5f7b-65f5f80 863->868 866 65f5f68-65f5f6b 864->866 867 65f5f85-65f5f89 864->867 865->857 880 65f5f0d-65f5f12 865->880 866->863 866->867 869 65f5f8b-65f5f91 867->869 870 65f5fa8-65f5fac 867->870 868->809 869->870 874 65f5f93-65f5f9b 869->874 872 65f5fae-65f5fb4 870->872 873 65f5fb6-65f5fd2 870->873 872->873 875 65f5fdb-65f5fdf 872->875 873->875 874->822 876 65f5fa1-65f5fa6 874->876 875->809 878 65f5fe1-65f5ffd 875->878 876->809 878->809 880->857
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6ac679ac3b700dea328179d8c015166bbec42285bb526222bbc06eff7917f27
                                  • Instruction ID: 0389948005314dd527e0db6f55bd3ab19161d0705fc40c85fd04fe18b83397a2
                                  • Opcode Fuzzy Hash: b6ac679ac3b700dea328179d8c015166bbec42285bb526222bbc06eff7917f27
                                  • Instruction Fuzzy Hash: 1FD14B70E20119DFDB94CFA8C984AADBBB6FF98300F658165E505AB364EB71E841CF50
                                  Function 065F0040 Relevance: .3, Instructions: 296COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1093 65f0040-65f0060 1094 65f0067-65f0129 1093->1094 1095 65f0062 1093->1095 1100 65f012f-65f0196 1094->1100 1101 65f04f4-65f05f2 1094->1101 1095->1094 1110 65f019d-65f01a6 1100->1110 1111 65f0198 1100->1111 1103 65f05fa-65f0600 1101->1103 1104 65f05f4-65f05f9 1101->1104 1104->1103 1112 65f04e7-65f04ed 1110->1112 1111->1110 1113 65f01ab-65f0243 1112->1113 1114 65f04f3 1112->1114 1119 65f031b-65f037c 1113->1119 1120 65f0249-65f0285 1113->1120 1114->1101 1131 65f037d-65f038c 1119->1131 1152 65f028b call 65f0901 1120->1152 1153 65f028b call 65f06a0 1120->1153 1127 65f0291-65f02cc 1129 65f02ce-65f02eb 1127->1129 1130 65f0316-65f0319 1127->1130 1135 65f02f1-65f0315 1129->1135 1130->1131 1133 65f0395-65f03d4 1131->1133 1136 65f04cb-65f04dd 1133->1136 1137 65f03da-65f04ca 1133->1137 1135->1130 1139 65f04df 1136->1139 1140 65f04e4 1136->1140 1137->1136 1139->1140 1140->1112 1152->1127 1153->1127
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a726c340a3fbc372aa5e1977f103295105bd99f26c5f025ec7b02d7e4f6ab56
                                  • Instruction ID: 5f3c3ce0c3d5058314b588a5b8e831cd5649d4dc8ff03ccda0bba6063b0cb864
                                  • Opcode Fuzzy Hash: 3a726c340a3fbc372aa5e1977f103295105bd99f26c5f025ec7b02d7e4f6ab56
                                  • Instruction Fuzzy Hash: F8E1BF74E01218CFEB64DFA5C894B9DBBB2BF89304F2081A9D409A7391DB755E85CF10
                                  Function 065F06A0 Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a32360449b9ada5b350d7702987425cec1af4e3c2130389e92c82bbd74b4b5e4
                                  • Instruction ID: c25fd5e026327cfb6931ceb638772fad72591b08771a9c4790cc9e13100b11bd
                                  • Opcode Fuzzy Hash: a32360449b9ada5b350d7702987425cec1af4e3c2130389e92c82bbd74b4b5e4
                                  • Instruction Fuzzy Hash: 2A81E470E01218CFDB58DFAAC954BADBBF2BF89300F24846AD409AB395DB345945CF50
                                  Function 065F0006 Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1e6976d85812715797b5d63ae21434f9241dc6baec371d50a3b05386362ae2e
                                  • Instruction ID: e3b412b646f2188558ac4e2192c56fcf3d4e2244650b15628cebb349ec43441f
                                  • Opcode Fuzzy Hash: c1e6976d85812715797b5d63ae21434f9241dc6baec371d50a3b05386362ae2e
                                  • Instruction Fuzzy Hash: B0511971D012488FEB19DFAAC8547DEBBB2FF89300F14C1AAC458AB291DB354946CF60
                                  Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • _malloc.LIBCMT ref: 0040AF80
                                    • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                    • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                    • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4
                                  • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                    • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                  • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                  • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                  • String ID:
                                  • API String ID: 1411284514-0
                                  • Opcode ID: 05ad83b6852f2baf64dcf3e3e5558773909301e86b0c929512f0ba7e34fb01c9
                                  • Instruction ID: 8eadb5cd03773abbcedb36d2c15614709fcdd1917857d43be7c9c2f2185a7b4a
                                  • Opcode Fuzzy Hash: 05ad83b6852f2baf64dcf3e3e5558773909301e86b0c929512f0ba7e34fb01c9
                                  • Instruction Fuzzy Hash: AFF09621A0434A62CA157661DC06D5A7B688E4031CB60007BE811761D2DFBDEA6695DE
                                  Function 02CEEC60 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 86 2ceec60-2ceed14 VirtualProtect 89 2ceed1d-2ceed65 86->89 90 2ceed16-2ceed1c 86->90 90->89
                                  APIs
                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02CEED04
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3374240766.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2ce0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: cf2ef8c11614f160edbc0182cbe804e9f47b91c907b1b4a64b3358314954a808
                                  • Instruction ID: b6085617f06af1ff6416a15afe8c9d95fe1f45b217ac67f02e90a998498fc105
                                  • Opcode Fuzzy Hash: cf2ef8c11614f160edbc0182cbe804e9f47b91c907b1b4a64b3358314954a808
                                  • Instruction Fuzzy Hash: 3731A7B5D012499FDF10CFA9E980A9EFBB1BF49320F24902AE819B7210D775A945CF94
                                  Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 95 40d534-40d556 HeapCreate 96 40d558-40d559 95->96 97 40d55a-40d563 95->97
                                  APIs
                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: CreateHeap
                                  • String ID:
                                  • API String ID: 10892065-0
                                  • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                  • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                  • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                  • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                  Function 02CEEF30 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 98 2ceef30-2ceefbe CloseHandle 101 2ceefc7-2cef009 98->101 102 2ceefc0-2ceefc6 98->102 102->101
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 02CEEFAE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3374240766.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2ce0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 65363b456e0663eeb47c81d2ed44e427d429294d20f6e12cc96cdabf5ecd084e
                                  • Instruction ID: bc7313685617e6b351dee204b0174307269fead4f2992150aa5c1eb434b5e9a0
                                  • Opcode Fuzzy Hash: 65363b456e0663eeb47c81d2ed44e427d429294d20f6e12cc96cdabf5ecd084e
                                  • Instruction Fuzzy Hash: B231CBB4D012199FDF10CFAAD981A9EFBB4AF48320F14942AE815B7300D775A901CF94
                                  Function 065F7390 Relevance: .8, Instructions: 752COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 129 65f7390-65f787e 204 65f7884-65f7894 129->204 205 65f7dd0-65f83cb 129->205 204->205 206 65f789a-65f78aa 204->206 211 65f843f-65f8443 205->211 212 65f83cd-65f83d3 205->212 206->205 208 65f78b0-65f78c0 206->208 208->205 210 65f78c6-65f78d6 208->210 210->205 213 65f78dc-65f78ec 210->213 217 65f8445-65f844e 211->217 218 65f84a2-65f84a9 211->218 214 65f83d9-65f83e3 212->214 215 65f84b1-65f84e7 212->215 213->205 216 65f78f2-65f7902 213->216 214->215 221 65f83e9-65f83f6 214->221 234 65f84e9-65f84f4 215->234 235 65f84f6-65f84fa 215->235 216->205 222 65f7908-65f7918 216->222 219 65f84ac 217->219 220 65f8450-65f8457 217->220 219->215 220->218 224 65f8459 220->224 221->215 225 65f83fc-65f8427 221->225 222->205 226 65f791e-65f792e 222->226 227 65f845c-65f8464 224->227 225->215 251 65f842d-65f8435 225->251 226->205 228 65f7934-65f7944 226->228 230 65f8498-65f849b 227->230 231 65f8466-65f8472 227->231 228->205 233 65f794a-65f795a 228->233 230->219 237 65f849d-65f84a0 230->237 231->215 236 65f8474-65f8490 231->236 233->205 238 65f7960-65f7dcf 233->238 234->235 239 65f850c 235->239 240 65f84fc-65f850a 235->240 236->230 237->218 237->227 244 65f850e-65f8510 239->244 240->244 246 65f8516-65f851e 244->246 247 65f8512-65f8514 244->247 252 65f8541-65f8543 246->252 253 65f8520-65f8532 246->253 247->246 251->219 256 65f8437-65f843d 251->256 254 65f8545-65f8552 call 65f6f98 252->254 255 65f8571-65f8575 252->255 253->252 260 65f8534-65f853f 253->260 254->255 264 65f8554-65f8563 254->264 262 65f857d-65f8582 255->262 256->211 256->212 260->252 264->255 268 65f8565-65f856f 264->268 268->255
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 19f3796cc4b43c77b5477643df530299400d8afdf3eebecbc5443c72a50db91a
                                  • Instruction ID: 0815b5c61822c0e531857a1b46b0363e5a84eab05e2cc3cd21bfaf5553e4ba32
                                  • Opcode Fuzzy Hash: 19f3796cc4b43c77b5477643df530299400d8afdf3eebecbc5443c72a50db91a
                                  • Instruction Fuzzy Hash: C4621070E10219CFEB54DBA4C894BAEBB77EF98300F1080A9D60A6B365DE359D81DF51
                                  Function 065F684B Relevance: .5, Instructions: 457COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 642 65f684b-65f6880 644 65f692b-65f693f 642->644 645 65f6886-65f68a3 642->645 646 65f69ae-65f69b2 644->646 647 65f6941-65f6947 644->647 672 65f68a5-65f68b0 645->672 673 65f68b2 645->673 648 65f69b8-65f69bc 646->648 649 65f6b21-65f6b2d 646->649 647->646 650 65f6949-65f694c 647->650 652 65f6a44-65f6a49 648->652 653 65f69c2-65f69c8 648->653 656 65f6b2f-65f6b38 649->656 657 65f6b3a-65f6b40 649->657 654 65f6def-65f6e1c 650->654 655 65f6952-65f695f 650->655 658 65f6a4f-65f6a52 652->658 659 65f6dea 652->659 653->659 660 65f69ce-65f69d0 653->660 706 65f6e1e-65f6e34 654->706 707 65f6e35-65f6e3c 654->707 655->654 661 65f6965-65f697f call 65f6e40 655->661 656->657 662 65f6b55-65f6b5c 656->662 657->659 663 65f6b46-65f6b52 657->663 668 65f6a5b-65f6a5e 658->668 669 65f6a54-65f6a56 658->669 659->654 670 65f6a3a-65f6a3d 660->670 671 65f69d2-65f69d5 660->671 685 65f6985-65f6988 661->685 666 65f6d09-65f6d0d 662->666 667 65f6b62-65f6b6b 662->667 663->662 675 65f6dc8-65f6dcc 666->675 676 65f6d13-65f6d1c 666->676 667->659 680 65f6b71-65f6b74 667->680 668->654 683 65f6a64-65f6a71 668->683 682 65f6de0-65f6de7 669->682 677 65f6a3f 670->677 678 65f69e9-65f69ec 670->678 671->654 684 65f69db-65f69e0 671->684 681 65f68b4-65f68b6 672->681 673->681 689 65f6dce-65f6dd5 675->689 690 65f6ddb 675->690 676->659 694 65f6d22-65f6d29 676->694 686 65f6b12-65f6b18 677->686 678->654 697 65f69f2-65f69ff 678->697 680->659 687 65f6b7a-65f6b90 680->687 681->644 695 65f68b8-65f68bc 681->695 683->654 688 65f6a77-65f6a87 683->688 684->670 696 65f69e2-65f69e4 684->696 691 65f698a-65f698c 685->691 692 65f6991-65f6994 685->692 686->659 704 65f6b1e 686->704 714 65f6cfe-65f6d01 687->714 715 65f6b96-65f6b9c 687->715 688->686 716 65f6a8d-65f6a91 688->716 689->690 699 65f6dd7-65f6dd9 689->699 690->682 691->682 692->659 700 65f699a-65f69a0 692->700 694->675 701 65f6d2f-65f6d35 694->701 702 65f68be-65f68cc call 65f6100 695->702 703 65f690b 695->703 696->682 697->654 705 65f6a05-65f6a28 697->705 699->682 700->659 710 65f69a6-65f69ac 700->710 701->654 711 65f6d3b-65f6d40 701->711 702->659 727 65f68d2-65f68d5 702->727 713 65f6913-65f6922 703->713 704->649 728 65f6a2a-65f6a2c 705->728 729 65f6a31-65f6a34 705->729 710->646 710->647 717 65f6dba-65f6dbd 711->717 718 65f6d42-65f6d48 711->718 713->644 733 65f6924-65f6926 713->733 714->666 715->654 723 65f6ba2-65f6bb5 715->723 724 65f6b0b-65f6b0d 716->724 725 65f6a93-65f6a9c 716->725 717->659 722 65f6dbf-65f6dc2 717->722 718->654 726 65f6d4e-65f6d5f 718->726 722->675 722->701 736 65f6bb7-65f6bbb 723->736 737 65f6be0-65f6be6 723->737 724->682 725->654 731 65f6aa2-65f6abe 725->731 739 65f6d67-65f6d6b 726->739 740 65f6d61-65f6d65 726->740 727->659 732 65f68db-65f6902 727->732 728->682 729->659 729->670 731->654 744 65f6ac4-65f6ae9 731->744 732->713 765 65f6904-65f6906 732->765 733->682 742 65f6bbd-65f6bbf 736->742 743 65f6bc4-65f6bdb 736->743 745 65f6c3e-65f6c47 737->745 746 65f6be8-65f6bec 737->746 747 65f6d6d-65f6d6f 739->747 748 65f6d71-65f6db3 739->748 740->717 742->682 759 65f6ce9-65f6cec 743->759 744->654 770 65f6aef-65f6b02 744->770 745->654 751 65f6c4d-65f6c52 745->751 749 65f6bee-65f6bf0 746->749 750 65f6bf5-65f6c39 746->750 747->682 748->717 749->682 750->759 755 65f6c7a-65f6c7d 751->755 756 65f6c54-65f6c58 751->756 755->654 758 65f6c83-65f6c90 755->758 761 65f6c5a-65f6c5c 756->761 762 65f6c61-65f6c78 756->762 758->654 766 65f6c96-65f6cb9 758->766 759->659 767 65f6cf2-65f6cf8 759->767 761->682 762->759 765->682 774 65f6cbb-65f6cbd 766->774 775 65f6cc2-65f6ccb 766->775 767->714 767->715 770->724 774->682 775->654 779 65f6cd1-65f6cdc 775->779 779->654 780 65f6ce2-65f6ce5 779->780 780->759
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1ec95e901262b69f65c878583f237146d1b05495a430117e2c2056963b9b694
                                  • Instruction ID: d4e76dad33683289a2142e9a376955a45f15cdaa186ec747392e96a0ffb820a2
                                  • Opcode Fuzzy Hash: f1ec95e901262b69f65c878583f237146d1b05495a430117e2c2056963b9b694
                                  • Instruction Fuzzy Hash: 55122C31A1010ADFCB54DF68C994AAABBF2FF88304F258555E506DB2A1DB30ED81CF91
                                  Function 065F81E0 Relevance: .3, Instructions: 313COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 881 65f81e0-65f8207 882 65f820f-65f8217 881->882 883 65f8209-65f820c 881->883 884 65f827f-65f8286 882->884 885 65f8219-65f821f 882->885 883->882 886 65f828c-65f8293 884->886 887 65f838b-65f8394 884->887 885->884 888 65f8221-65f8227 885->888 889 65f8299-65f82a1 886->889 890 65f8342-65f8348 886->890 893 65f839e-65f83a1 887->893 894 65f8396-65f839c 887->894 891 65f822d-65f823a 888->891 892 65f84b1-65f84e7 888->892 896 65f84ac 889->896 897 65f82a7-65f82b0 889->897 890->892 895 65f834e-65f8358 890->895 891->892 898 65f8240-65f8251 891->898 918 65f84e9-65f84f4 892->918 919 65f84f6-65f84fa 892->919 893->896 900 65f83a7-65f83b5 893->900 894->893 899 65f83b8-65f83bc 894->899 895->892 904 65f835e-65f837a 895->904 896->892 897->892 905 65f82b6-65f82e9 897->905 970 65f8254 call 65f80bf 898->970 971 65f8254 call 65f7390 898->971 972 65f8254 call 65f7380 898->972 973 65f8254 call 65f81e0 898->973 901 65f843f-65f8443 899->901 902 65f83c2-65f83cb 899->902 900->899 909 65f8445-65f844e 901->909 910 65f84a2-65f84a9 901->910 902->901 906 65f83cd-65f83d3 902->906 930 65f8382-65f8385 904->930 941 65f82eb 905->941 942 65f8333-65f8340 905->942 906->892 912 65f83d9-65f83e3 906->912 909->896 911 65f8450-65f8457 909->911 911->910 916 65f8459 911->916 912->892 917 65f83e9-65f83f6 912->917 921 65f845c-65f8464 916->921 917->892 922 65f83fc-65f8427 917->922 918->919 924 65f850c 919->924 925 65f84fc-65f850a 919->925 920 65f825a-65f8268 920->896 939 65f826e-65f8271 920->939 927 65f8498-65f849b 921->927 928 65f8466-65f8472 921->928 922->892 961 65f842d-65f8435 922->961 931 65f850e-65f8510 924->931 925->931 927->896 935 65f849d-65f84a0 927->935 928->892 933 65f8474-65f8490 928->933 930->887 930->896 936 65f8516-65f851e 931->936 937 65f8512-65f8514 931->937 933->927 935->910 935->921 943 65f8541-65f8543 936->943 944 65f8520-65f8532 936->944 937->936 939->896 940 65f8277-65f827d 939->940 940->884 940->885 949 65f82ee-65f82f4 941->949 942->930 945 65f8545-65f8552 call 65f6f98 943->945 946 65f8571-65f8575 943->946 944->943 954 65f8534-65f853f 944->954 945->946 960 65f8554-65f8563 945->960 958 65f857d-65f8582 946->958 949->892 952 65f82fa-65f831b 949->952 952->896 966 65f8321-65f8325 952->966 954->943 960->946 967 65f8565-65f856f 960->967 961->896 963 65f8437-65f843d 961->963 963->901 963->906 966->896 968 65f832b-65f8331 966->968 967->946 968->942 968->949 970->920 971->920 972->920 973->920
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac0b55fd0c8d6a12fbbaba629373efee7a85c06c3b493a1f87f5e6ddbfc37449
                                  • Instruction ID: 07a4aec91c93184f347eb4413a15490081790613f7a6eb33c08f77a8d47a6596
                                  • Opcode Fuzzy Hash: ac0b55fd0c8d6a12fbbaba629373efee7a85c06c3b493a1f87f5e6ddbfc37449
                                  • Instruction Fuzzy Hash: 97D10B75E106149FCB44CF68C988AADBBF6BF88314B1A8499E645AB371DB31EC41CF50
                                  Function 065F80BF Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 974 65f80bf-65f80fa call 65f8078 978 65f81c3 974->978 979 65f8100-65f8105 974->979 981 65f81c8-65f8207 978->981 979->978 980 65f810b-65f812a 979->980 984 65f812c-65f8134 980->984 985 65f8173-65f8178 980->985 990 65f820f-65f8217 981->990 991 65f8209-65f820c 981->991 984->978 986 65f813a-65f813d 984->986 1091 65f817a call 65f80bf 985->1091 1092 65f817a call 65f81e0 985->1092 986->978 989 65f8143-65f8162 986->989 988 65f8180-65f8187 992 65f8189-65f818f 988->992 993 65f81b6-65f81c0 988->993 989->978 1015 65f8164-65f816a 989->1015 994 65f827f-65f8286 990->994 995 65f8219-65f821f 990->995 991->990 992->981 996 65f8191-65f81ae 992->996 998 65f828c-65f8293 994->998 999 65f838b-65f8394 994->999 995->994 1000 65f8221-65f8227 995->1000 996->993 1001 65f8299-65f82a1 998->1001 1002 65f8342-65f8348 998->1002 1006 65f839e-65f83a1 999->1006 1007 65f8396-65f839c 999->1007 1003 65f822d-65f823a 1000->1003 1004 65f84b1-65f84e7 1000->1004 1010 65f84ac 1001->1010 1011 65f82a7-65f82b0 1001->1011 1002->1004 1009 65f834e-65f8358 1002->1009 1003->1004 1012 65f8240-65f8251 1003->1012 1035 65f84e9-65f84f4 1004->1035 1036 65f84f6-65f84fa 1004->1036 1006->1010 1014 65f83a7-65f83b5 1006->1014 1007->1006 1013 65f83b8-65f83bc 1007->1013 1009->1004 1020 65f835e-65f837a 1009->1020 1010->1004 1011->1004 1021 65f82b6-65f82e9 1011->1021 1087 65f8254 call 65f80bf 1012->1087 1088 65f8254 call 65f7390 1012->1088 1089 65f8254 call 65f7380 1012->1089 1090 65f8254 call 65f81e0 1012->1090 1016 65f843f-65f8443 1013->1016 1017 65f83c2-65f83cb 1013->1017 1014->1013 1015->981 1018 65f816c-65f8170 1015->1018 1026 65f8445-65f844e 1016->1026 1027 65f84a2-65f84a9 1016->1027 1017->1016 1023 65f83cd-65f83d3 1017->1023 1018->985 1047 65f8382-65f8385 1020->1047 1058 65f82eb 1021->1058 1059 65f8333-65f8340 1021->1059 1023->1004 1029 65f83d9-65f83e3 1023->1029 1026->1010 1028 65f8450-65f8457 1026->1028 1028->1027 1033 65f8459 1028->1033 1029->1004 1034 65f83e9-65f83f6 1029->1034 1038 65f845c-65f8464 1033->1038 1034->1004 1039 65f83fc-65f8427 1034->1039 1035->1036 1041 65f850c 1036->1041 1042 65f84fc-65f850a 1036->1042 1037 65f825a-65f8268 1037->1010 1056 65f826e-65f8271 1037->1056 1044 65f8498-65f849b 1038->1044 1045 65f8466-65f8472 1038->1045 1039->1004 1078 65f842d-65f8435 1039->1078 1048 65f850e-65f8510 1041->1048 1042->1048 1044->1010 1052 65f849d-65f84a0 1044->1052 1045->1004 1050 65f8474-65f8490 1045->1050 1047->999 1047->1010 1053 65f8516-65f851e 1048->1053 1054 65f8512-65f8514 1048->1054 1050->1044 1052->1027 1052->1038 1060 65f8541-65f8543 1053->1060 1061 65f8520-65f8532 1053->1061 1054->1053 1056->1010 1057 65f8277-65f827d 1056->1057 1057->994 1057->995 1066 65f82ee-65f82f4 1058->1066 1059->1047 1062 65f8545-65f8552 call 65f6f98 1060->1062 1063 65f8571-65f8575 1060->1063 1061->1060 1071 65f8534-65f853f 1061->1071 1062->1063 1077 65f8554-65f8563 1062->1077 1075 65f857d-65f8582 1063->1075 1066->1004 1069 65f82fa-65f831b 1066->1069 1069->1010 1083 65f8321-65f8325 1069->1083 1071->1060 1077->1063 1084 65f8565-65f856f 1077->1084 1078->1010 1080 65f8437-65f843d 1078->1080 1080->1016 1080->1023 1083->1010 1085 65f832b-65f8331 1083->1085 1084->1063 1085->1059 1085->1066 1087->1037 1088->1037 1089->1037 1090->1037 1091->988 1092->988
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31dce5df43ca602f460b509da8866f99c304e12990414de7016c9d586c5a7db0
                                  • Instruction ID: 8984f0b257e4d8b66b1a6be6fb4e868e03db297c36ba4cf2e9b6d965cb1c7102
                                  • Opcode Fuzzy Hash: 31dce5df43ca602f460b509da8866f99c304e12990414de7016c9d586c5a7db0
                                  • Instruction Fuzzy Hash: B4C12B71E102188FCB44CFA8C988A9DBBF6BF88314F598599E615AB361DB35EC41CF50
                                  Function 065F5148 Relevance: .2, Instructions: 230COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b7647ce97425c648d299b17f5ef739f3e3febd8c8ac8a79fbbfed157e69cabd
                                  • Instruction ID: 3b3a4fe669e113d0d52aaa38a55d452903b881eb31b73db58151364ebab4c96e
                                  • Opcode Fuzzy Hash: 7b7647ce97425c648d299b17f5ef739f3e3febd8c8ac8a79fbbfed157e69cabd
                                  • Instruction Fuzzy Hash: B381AF30E20205CFDB94CFADC88496EBBB2BF99214B158569D605E73A5EB71E841CF90
                                  Function 065F0FC8 Relevance: .2, Instructions: 212COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5c8d6fb87d2024bc0d2513848a56a6599c4bd7a41e714a6fd7a774ab7863614
                                  • Instruction ID: 0bbae0a4963fc46f898dc66f920c072b119102e98aed8bc55603a2f1f5796e20
                                  • Opcode Fuzzy Hash: e5c8d6fb87d2024bc0d2513848a56a6599c4bd7a41e714a6fd7a774ab7863614
                                  • Instruction Fuzzy Hash: 6D719231F102599BDF59EFA5C850AAEBBB6BFC8700F148529E506A7380DF709D02CB91
                                  Function 065F4C78 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e9cd980d45dbfe7db5979672ccd030990334147ad5cf9b7ec8ab865fca682ed
                                  • Instruction ID: 3053c3eb7a25c24334f6236c8183981f650062c97e69759d9720fbfb3a1abcc6
                                  • Opcode Fuzzy Hash: 3e9cd980d45dbfe7db5979672ccd030990334147ad5cf9b7ec8ab865fca682ed
                                  • Instruction Fuzzy Hash: BE51DD71B142569FDB658F24C854B6F7BF6FFC8300F058969EA46CB292DB348801CBA1
                                  Function 065F7040 Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32656266a876a4d275b4415e6fd73804a4aab52a74007d5a09149535bb43067b
                                  • Instruction ID: deca6bf6704fbabbed2817bf1eab33ce0140d247384bab20896ed857e030c4ef
                                  • Opcode Fuzzy Hash: 32656266a876a4d275b4415e6fd73804a4aab52a74007d5a09149535bb43067b
                                  • Instruction Fuzzy Hash: B8519D317241118FDB54DF39EC98E2A7BEAFF8D64070545AAE61ACB361EB21DC05CB50
                                  Function 065F3038 Relevance: .2, Instructions: 173COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40f256593bb8e177566344bb53f18ef0c064b02e09dae07e436966420fc90e56
                                  • Instruction ID: 0a49dc4a1a44717abbf51cb0ab73fd191c587c4cb83ea01c767e27137a66c732
                                  • Opcode Fuzzy Hash: 40f256593bb8e177566344bb53f18ef0c064b02e09dae07e436966420fc90e56
                                  • Instruction Fuzzy Hash: 1B819374E41229DFDB65DF29D954BEDBBB2BB89300F1081EAD909A7250DB705E81CF80
                                  Function 065FF2D8 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2a19782b9146e56158c6f1631af900e4a3bb63fc92678c3f8001a3926759559
                                  • Instruction ID: 462ee4d2a67a5bccc0aef28c2f6a68ec14d362ba9e393dc3aacc6fd4be17324e
                                  • Opcode Fuzzy Hash: b2a19782b9146e56158c6f1631af900e4a3bb63fc92678c3f8001a3926759559
                                  • Instruction Fuzzy Hash: 5B51FF74E01218DFDB14DFE5D994AAEBBB2FF88300F208129E905AB395DB756985CF40
                                  Function 065F4DF0 Relevance: .1, Instructions: 142COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b9d6a7251029d68e4e01e52824cc10a1422a0a1a4eb1c76683dab37e463ec1a1
                                  • Instruction ID: 18e3437fb1b66f302ee38a58b2916fb6820e2b09f4bb29f2e52196f27a77a383
                                  • Opcode Fuzzy Hash: b9d6a7251029d68e4e01e52824cc10a1422a0a1a4eb1c76683dab37e463ec1a1
                                  • Instruction Fuzzy Hash: 52418C307102168FDB69AB79C45473F7AE6BBC8340F148569E7468B396DF348C46CB92
                                  Function 065F0FB9 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df585482993f1a1f97f583b4e3304d1da105845406d45bffd907311bd6221612
                                  • Instruction ID: 06b99e0ea8695e96b4c6930eb1429d9da574aca50e9159d44d3cd0d4cef9a07f
                                  • Opcode Fuzzy Hash: df585482993f1a1f97f583b4e3304d1da105845406d45bffd907311bd6221612
                                  • Instruction Fuzzy Hash: 7C417071E1065ADBDB24DFA5C890AEEBBF6BF98700F148129E511B7340EB70A945CB90
                                  Function 065F0C40 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d22438ab32c9114ffb0f6969fa379a15e91b3a6fb207d1bbd97908ed09f136e
                                  • Instruction ID: 8bb7d0aa6f2d7e03777c7f37c0ab6c8fb923f16e889bed559693f5c9ec163148
                                  • Opcode Fuzzy Hash: 2d22438ab32c9114ffb0f6969fa379a15e91b3a6fb207d1bbd97908ed09f136e
                                  • Instruction Fuzzy Hash: 0C4176B9D04258DFCF10CFA9D984AAEBBB0BB19310F14A01AE914BB210D375A951CF68
                                  Function 065F1450 Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2ba96022444f4383b87050e622cb0f16cb2dd94c1afd76e87ee593d4036b98c
                                  • Instruction ID: 6b33bfa0e1c217bfb8188fe691868a00334aa40060a1076b8b237fbfd140973f
                                  • Opcode Fuzzy Hash: a2ba96022444f4383b87050e622cb0f16cb2dd94c1afd76e87ee593d4036b98c
                                  • Instruction Fuzzy Hash: C84188B9D04259DFCF10CFA9D984ADEFBB0BB19310F14A01AE914B7210D375A955CF64
                                  Function 065F6E40 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2a94eb25ab2c50b7ab338eb6c2770b2307b573a01c690e338193d07f9f1b566
                                  • Instruction ID: 18e0bf76ac70d4084d9da0698307a18a0e4f1df44a8038bf7cffd30a1400c767
                                  • Opcode Fuzzy Hash: c2a94eb25ab2c50b7ab338eb6c2770b2307b573a01c690e338193d07f9f1b566
                                  • Instruction Fuzzy Hash: F4414635A201199FCB54CF69D888AAA7BB6BB48311F104469FA06CB3B1CB31DD80CF91
                                  Function 065F7F18 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28790325ff11e32f689fb8bfd5cd52de7c737f22e396a541012029d1b76c71b8
                                  • Instruction ID: 22327f02064f44ff1d17e506e6d160f87f5fa19bb53751e5f18388e97cf97565
                                  • Opcode Fuzzy Hash: 28790325ff11e32f689fb8bfd5cd52de7c737f22e396a541012029d1b76c71b8
                                  • Instruction Fuzzy Hash: 5C318F31B502089FDB089B64D854AAEBBB6FFCC750F548469EA06E7384DF319C01CB90
                                  Function 065F4378 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbe179b47cb16ee34eeede128fdd79cf03dbad373f6fdebafe12df534e0e5578
                                  • Instruction ID: ed4556fcada8ab89c6befb1fc5e5372cd4408aeba1fb1440bf65932bb2a9b60a
                                  • Opcode Fuzzy Hash: dbe179b47cb16ee34eeede128fdd79cf03dbad373f6fdebafe12df534e0e5578
                                  • Instruction Fuzzy Hash: CA31C03171425A9FCF069F64E8559AF7FA2FF88300B088059FA869B252DF35C825DF90
                                  Function 065FF2C9 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 22331f035ae2f67ae5134a8533b73a827508bd977c1c07d5e5d7e0c0458c5bf9
                                  • Instruction ID: fa9cf3226e17c0aacdf63c50e7213f27695daa3a6f875b74f4e3cb82e873d595
                                  • Opcode Fuzzy Hash: 22331f035ae2f67ae5134a8533b73a827508bd977c1c07d5e5d7e0c0458c5bf9
                                  • Instruction Fuzzy Hash: E5312370C02359AFDB54DFA5D854BEEBBB6FF89300F508429E805AB284DB784946CF50
                                  Function 065F7188 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7bc153b872a1d2a0b66f8a5d6b7b1db25be7b261d940b6ec1401798c7db02941
                                  • Instruction ID: 318af4dcd11a6d109b3a43a1f98fa9658cd1b96d3adb0a1b0e684941bb3c5586
                                  • Opcode Fuzzy Hash: 7bc153b872a1d2a0b66f8a5d6b7b1db25be7b261d940b6ec1401798c7db02941
                                  • Instruction Fuzzy Hash: 82217431724155DFD754CFA6BC50AAB7BAAFB8D240B044426F612C7250DB76DC45CBA0
                                  Function 02AED338 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373575948.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2aed000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78dec0d7be69419c97ee45b24089111a9cd4889d1ceb5f1b6505ed8793094864
                                  • Instruction ID: 3c1107cda269475beffc41d80b4e9f98541fb39d17f8d647b0d60c1f25285cdf
                                  • Opcode Fuzzy Hash: 78dec0d7be69419c97ee45b24089111a9cd4889d1ceb5f1b6505ed8793094864
                                  • Instruction Fuzzy Hash: 6E210676504701EFDF05DF10D9C0B2ABB69FB84314F2485A9E90A0B256C736D417CB61
                                  Function 02AED600 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373575948.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2aed000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5dd08e246de15751b2e47e77bccb79cd87da1cbe60104f233d2413e2ee9970b5
                                  • Instruction ID: cc2a2277d429585cef33afd41aacf948874911e920d6e920722300ca53fe9085
                                  • Opcode Fuzzy Hash: 5dd08e246de15751b2e47e77bccb79cd87da1cbe60104f233d2413e2ee9970b5
                                  • Instruction Fuzzy Hash: A72133B2514644EFDF04DF10D9C0B26BF69FB88314F20856DE90E0A216CB36D857CAA1
                                  Function 065F4FAB Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d848a2378856032de09f192f84d688e5cb8bf037f176c3ebc739ad187f3800c
                                  • Instruction ID: fe469ed9f62b56a8918dfdee2b855084674b1958fe7e8bbbd2b972b8cb33245b
                                  • Opcode Fuzzy Hash: 3d848a2378856032de09f192f84d688e5cb8bf037f176c3ebc739ad187f3800c
                                  • Instruction Fuzzy Hash: E021F335B106129BC7659B29D454A2FB7AAFF84755B048569EA0BCB344DF31DC02CBC0
                                  Function 02AFD030 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373693083.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2afd000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc1244ec3098143b060253df78dfe5b1d85c11d03c41020fdd4b5ffc818cfa00
                                  • Instruction ID: 1f8f37ae2ea26a8ee18b9eabde540eaebf5bdf38372ec5c11cbcfeb5c83f53d9
                                  • Opcode Fuzzy Hash: dc1244ec3098143b060253df78dfe5b1d85c11d03c41020fdd4b5ffc818cfa00
                                  • Instruction Fuzzy Hash: 672176B1104700EFDB56DF50D9C0B26BBA1FB84318F20C56DEA0A4B652CB7ED807CA62
                                  Function 02AFD006 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373693083.0000000002AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2afd000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97d074b9855be6afca3a73c2b05694bf9250c9ed7803c0493012053b7bf4c2f0
                                  • Instruction ID: 20206e76b694e7b9cd9a48d789599f4a9c1480693d9a35c1b06899ef1eecb0f8
                                  • Opcode Fuzzy Hash: 97d074b9855be6afca3a73c2b05694bf9250c9ed7803c0493012053b7bf4c2f0
                                  • Instruction Fuzzy Hash: DD217A7100D7C09FCB03CB64D990711BF71AB46214F29C5DBD9898F6A3C73A980ACB62
                                  Function 065F439E Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d790d191ac721e732d456d52eaf1c234f523385787a368880c92df23fa9a8a37
                                  • Instruction ID: 28315589fd5c47bbefb116ee41d17fd680a657eae646e7a9dd01c4328f404cf1
                                  • Opcode Fuzzy Hash: d790d191ac721e732d456d52eaf1c234f523385787a368880c92df23fa9a8a37
                                  • Instruction Fuzzy Hash: 5321F331A1424A9FDF159F24E54977B3BE2FB94311F048069FA469B286DB38CC66CB90
                                  Function 065F11A8 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57eab0eaab166037a932b9a70377305ddc3ddd0f34f5acd818893c6d85325fd4
                                  • Instruction ID: ec304dcb075e0d6295ba09085c5f780e79db2e6b9f7a87de568beb2f72d80600
                                  • Opcode Fuzzy Hash: 57eab0eaab166037a932b9a70377305ddc3ddd0f34f5acd818893c6d85325fd4
                                  • Instruction Fuzzy Hash: B21123357082945FDF4AAFB8986467E3FA3EBC9640F444429E506CB381DF344D02C7A6
                                  Function 065F5B80 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7c73e593d66b1ef61e51039d22e3045d2d50c697859808914adb8a9284dcd2c
                                  • Instruction ID: fad8b8998e3af9b1dc022b41258501778924bc45b280b54bb89aaaa45c16bcd4
                                  • Opcode Fuzzy Hash: e7c73e593d66b1ef61e51039d22e3045d2d50c697859808914adb8a9284dcd2c
                                  • Instruction Fuzzy Hash: AC219D30910208DFDB10DF58C948BAABBF5FB48314F44C96AE55A8B211E774E988CF91
                                  Function 02AED333 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373575948.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2aed000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 858f6b5c2d5ffad368346278de96630b207b37df9710273eb049590ae4bf13e2
                                  • Instruction ID: 4d110a4039ce9b1bcaa26bedbf3a6ddd0a6b292d6ea02bb92eeff58a1a2307ff
                                  • Opcode Fuzzy Hash: 858f6b5c2d5ffad368346278de96630b207b37df9710273eb049590ae4bf13e2
                                  • Instruction Fuzzy Hash: 13218CB6504684DFCF16CF10D9C4B1ABB62FB84314F2481A9DC090A656C33AD426CBA2
                                  Function 02AED5FB Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373575948.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2aed000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e33c40d954198949ad8286e652296461c2097b8667bfc91df540e88ec3755ca
                                  • Instruction ID: 0bd6c7dcc0d1bf0705845c7ef59548e266bc776de42fbb941be457f2952e157e
                                  • Opcode Fuzzy Hash: 4e33c40d954198949ad8286e652296461c2097b8667bfc91df540e88ec3755ca
                                  • Instruction Fuzzy Hash: CA11B1B6504684CFCF15DF10D9C4B16BF71FB84314F24C5A9D8490B256C33AD456CBA1
                                  Function 065F0901 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d427f803bb20e523b114323489173897715ba4f74f27cf152ef6b8d95b57747
                                  • Instruction ID: 7cbe4d0a5e97087f08023d7be7fde33748e8a778c418c46fa854893ff80595f4
                                  • Opcode Fuzzy Hash: 1d427f803bb20e523b114323489173897715ba4f74f27cf152ef6b8d95b57747
                                  • Instruction Fuzzy Hash: CD113034F401998FEF00DBE8D960BAEBBB5BB44311F049165E948A7355FA7099428F50
                                  Function 065F4BF8 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13fd8b4aefa537d732512a789679d70a4ce1cf74cb44c79b66855cd5972a52f8
                                  • Instruction ID: be1c8476d03203a110c266c461d1e9106337af7da70cd925e04fd12047a37608
                                  • Opcode Fuzzy Hash: 13fd8b4aefa537d732512a789679d70a4ce1cf74cb44c79b66855cd5972a52f8
                                  • Instruction Fuzzy Hash: 5F01D632B001196FCF55DE55A801ABF7BEBEBC8750B588029F616D7240DE718C169B94
                                  Function 02AED006 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373575948.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2aed000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aad1d996e3c9268b204214dc76e363ced0bd944a96361341509306a061a3fe3b
                                  • Instruction ID: f77ea4920cae6f20341d35e6682bd65256f583a8bb2a69e1c6d45ca5b2b5d461
                                  • Opcode Fuzzy Hash: aad1d996e3c9268b204214dc76e363ced0bd944a96361341509306a061a3fe3b
                                  • Instruction Fuzzy Hash: 1A014C6140E7C09EE7128B25D994B52BFB8EF43224F1D80CBD9898F1A3C2699849C772
                                  Function 02AED01D Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3373575948.0000000002AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2aed000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b5b9b0297f368cdeb0fca4c656445646f0bd621e7fd0fffd8764dddf7e755297
                                  • Instruction ID: b718e167af92b8343c8af85fb88b69909a9e569ee320cbef72281f312f212478
                                  • Opcode Fuzzy Hash: b5b9b0297f368cdeb0fca4c656445646f0bd621e7fd0fffd8764dddf7e755297
                                  • Instruction Fuzzy Hash: 8B01F271404B409AEB104F25D9C0B66BF9CEF41324F0CC02AED0B1A282CBB99842C6B1
                                  Function 065F6F98 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d12c581e664e1d03a4a47aabddef3bf338d13237ee94c25386697332f0948279
                                  • Instruction ID: ff8dd3364fedc2ba8e8d7eef4f079ff4f84adffb1a62ab4e01ce9480366bca7b
                                  • Opcode Fuzzy Hash: d12c581e664e1d03a4a47aabddef3bf338d13237ee94c25386697332f0948279
                                  • Instruction Fuzzy Hash: B3F096317205514F87A59B7ED544A2AB6DEBFC8A513150179FA05CB369DF60CC01CB90
                                  Function 065F4BE8 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f1f6d7d47e4cc031f17d8af5d796df52734bd0ffa308916ab55e314348776a6
                                  • Instruction ID: 570fdd6f4dd2d52899b5586047f2a2d4da549e69aad480a43db3cdadc33f9c13
                                  • Opcode Fuzzy Hash: 3f1f6d7d47e4cc031f17d8af5d796df52734bd0ffa308916ab55e314348776a6
                                  • Instruction Fuzzy Hash: 9AF0F432A00109AFEB11DF55A801BEF3FA6EBD8750F188025FA15D7240DA318816DB90
                                  Function 065F6F88 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25fa59c259c197fa3fe4bcad7c7df405341f9286c6a6f69c5a78a36811d91029
                                  • Instruction ID: 63fc4a78434addd5440df159a8de8a3215bbf102edc271032e13fe9aee38a8e0
                                  • Opcode Fuzzy Hash: 25fa59c259c197fa3fe4bcad7c7df405341f9286c6a6f69c5a78a36811d91029
                                  • Instruction Fuzzy Hash: D0F09637B10119AFC7608B99E945A9ABB69FBC8771F510166F70AC7255DA31CC048B90
                                  Function 065F53E7 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 110932400f57da9385073e31c7721267a50ccb495317010a41b6b6f8e291ff7c
                                  • Instruction ID: 082d06c15f223e1b8b64af0df1fa2b4761adfe345396cc1024d76c5ec47be07b
                                  • Opcode Fuzzy Hash: 110932400f57da9385073e31c7721267a50ccb495317010a41b6b6f8e291ff7c
                                  • Instruction Fuzzy Hash: 2CD02B30580209C6D704E735E8067143F4BD7C0300F48D618A04D19845CEBC086E4780
                                  Function 065F7FC5 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3af8a3b34edce8ea5b4347b3245901f70a6119073d2fd7575a625a8a504465ff
                                  • Instruction ID: 89b82f5038ff883ed8f6dc3bb833d9d5b7b0dbf911b6be41714d74d88bdb729f
                                  • Opcode Fuzzy Hash: 3af8a3b34edce8ea5b4347b3245901f70a6119073d2fd7575a625a8a504465ff
                                  • Instruction Fuzzy Hash: DDD0673AB10108DFCB049F98E8459DDB7B6FB98261B448126F915A7260C631A921DB50
                                  Function 065F53F8 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61029eedfe4b10cae41ec140deded1bfc92eb949dd25d73a17b63ba55c4753a1
                                  • Instruction ID: 9fa0283ed7e8791df413b34bde2ab71293172bd431b522e6e013cb56b6493f03
                                  • Opcode Fuzzy Hash: 61029eedfe4b10cae41ec140deded1bfc92eb949dd25d73a17b63ba55c4753a1
                                  • Instruction Fuzzy Hash: 59C0123050030AC6DA09E776E9455157B5AE6C0300B44A55CA14E1A545DFFC1CA946D0

                                  Non-executed Functions

                                  Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                  • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                  • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                  • String ID:
                                  • API String ID: 2579439406-0
                                  • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                  • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                  • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                  • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                  Function 00408C60 Relevance: 2.9, Strings: 2, Instructions: 377COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$@
                                  • API String ID: 0-149943524
                                  • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                  • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                                  • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                  • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                                  Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                  • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                  • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                  • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                  Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                  • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                  • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                  • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                  Function 00407C3F Relevance: .8, Instructions: 783COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                  • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                                  • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                  • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                                  Function 004073A0 Relevance: .6, Instructions: 633COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d0f863202ed31210990d268afb207caf14838ccf2536d9f63fd262f650c0e5
                                  • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                                  • Opcode Fuzzy Hash: a3d0f863202ed31210990d268afb207caf14838ccf2536d9f63fd262f650c0e5
                                  • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                                  Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                  • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                                  • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                  • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                                  Function 065F9668 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d7c7207e8496cb87d04816303d3ba876f1e2028abd256fc7a2889b6ce55b86a
                                  • Instruction ID: 10fc728d8ad6e76e851ba09a7eef7bc2201eefa7b1953f8f417b1b71d5c6c808
                                  • Opcode Fuzzy Hash: 4d7c7207e8496cb87d04816303d3ba876f1e2028abd256fc7a2889b6ce55b86a
                                  • Instruction Fuzzy Hash: 79C1AD74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065F9210 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37646fc9992580b642379d974a21b6f67c86b3160f0140c4e6667e97c8df5846
                                  • Instruction ID: 3c0f91a9bf9d019766fbdb31cc3c97f2fc0a2b47344037de377aa97ea4e848f4
                                  • Opcode Fuzzy Hash: 37646fc9992580b642379d974a21b6f67c86b3160f0140c4e6667e97c8df5846
                                  • Instruction Fuzzy Hash: D0C18E74E01218CFEB54DFA5C994BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065F1638 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57e8d6e1d6a9dd295726904c8cc5af9f6d690be2bb809d91f6ad1019d4291028
                                  • Instruction ID: 7158cdbed69a274ec9064c24a5bb38a5edac87e1194bbf0c6e4c48b093c9be15
                                  • Opcode Fuzzy Hash: 57e8d6e1d6a9dd295726904c8cc5af9f6d690be2bb809d91f6ad1019d4291028
                                  • Instruction Fuzzy Hash: 29C19F74E01218CFEB54DFA5C994B9DBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FEA28 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d78873bfd1512cd989ef5b8b71a553c5479e455399d7a350438ffa23fe597f1
                                  • Instruction ID: 66810a08a924dd360daba7168c393157474ea224233407a6006456efd2d7e35e
                                  • Opcode Fuzzy Hash: 7d78873bfd1512cd989ef5b8b71a553c5479e455399d7a350438ffa23fe597f1
                                  • Instruction Fuzzy Hash: B9C19F74E01218CFEB54DFA5C984B9DBBB2BF89300F2081A9D509AB365DB359E85CF50
                                  Function 065F9AC0 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 954c7a81cbd199b2f4d28071209144113a20efe19ba179d1343185b0f9d4f3f8
                                  • Instruction ID: c0ca93622b863e97e5aa76e7b431f4dfd4eef984f3eb1ddceb3d27c39624fdd9
                                  • Opcode Fuzzy Hash: 954c7a81cbd199b2f4d28071209144113a20efe19ba179d1343185b0f9d4f3f8
                                  • Instruction Fuzzy Hash: DCC1AE74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065F1EE8 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4c24f9fa49218a0069a32c99516dfd22e6c25a826abce6f4768cf6f45148f72
                                  • Instruction ID: 7cbe8020e461217f052d33b607db7fd2d82c450b02bd7543972a95d7f8454561
                                  • Opcode Fuzzy Hash: b4c24f9fa49218a0069a32c99516dfd22e6c25a826abce6f4768cf6f45148f72
                                  • Instruction Fuzzy Hash: 21C1AF74E01218CFEB58DFA5C984B9DBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065F1A90 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1a875e3a6cf2a63b2daab52e0bba589a65cfb3fb8079f62c9b514388bfdbcb1
                                  • Instruction ID: 3e9fde6fc9a2aa79720929cb62e39cd57af98f296aeea45cc99e64920e61fc62
                                  • Opcode Fuzzy Hash: e1a875e3a6cf2a63b2daab52e0bba589a65cfb3fb8079f62c9b514388bfdbcb1
                                  • Instruction Fuzzy Hash: CCC19F74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB355E85CF50
                                  Function 065FEE80 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39c91b597ce4cd272e13f3a3e2c8c7d8141f845f13a664aa72c008da29eb83fb
                                  • Instruction ID: 694fb5a9f9fb360c221c7d26ba08e846b6d22912bdb246581330ab3ff059e14b
                                  • Opcode Fuzzy Hash: 39c91b597ce4cd272e13f3a3e2c8c7d8141f845f13a664aa72c008da29eb83fb
                                  • Instruction Fuzzy Hash: 04C19D74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065F2340 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1f6b39224a6c7bfc7973af986ec369e76bfa54d8c3b17c8373fb17df0773115
                                  • Instruction ID: 721e45f7da535ee2c33a67140967a9e4e8cccff6ed4af9d073455c638e73a759
                                  • Opcode Fuzzy Hash: d1f6b39224a6c7bfc7973af986ec369e76bfa54d8c3b17c8373fb17df0773115
                                  • Instruction Fuzzy Hash: 58C19E74E01218CFEB54DFA5C994BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FA370 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 858c4172b8072726c7df259d994b0be7c230afcd3990f8a9c78bbef978bd1074
                                  • Instruction ID: 74f8433f57b54dd899b77a5447519be719e48a79c8aab5e308c739f055e7cbdf
                                  • Opcode Fuzzy Hash: 858c4172b8072726c7df259d994b0be7c230afcd3990f8a9c78bbef978bd1074
                                  • Instruction Fuzzy Hash: 7FC19D74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D409AB355DB359E85CF51
                                  Function 065FC768 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74013bd739765a39149997b06c1183be76063eff3c4367f0fd750f6560a5fb1c
                                  • Instruction ID: 1bde16a8836538ad591c373d9e52fd5635d022c68c9af384eabb09d8a3c94d55
                                  • Opcode Fuzzy Hash: 74013bd739765a39149997b06c1183be76063eff3c4367f0fd750f6560a5fb1c
                                  • Instruction Fuzzy Hash: 74C1AE74E01218CFEB54DFA5C984BADBBB2BF89300F2085A9D409AB355DB359E81CF50
                                  Function 065F9F18 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9be309bf984531f7fa0310fa5f63b62e7e092502fd6663fd5892bdf93439ee81
                                  • Instruction ID: bb53dbfae516fbc57fc733db8ecfca9eb1698e1d5c40abe00b4da066d15108f2
                                  • Opcode Fuzzy Hash: 9be309bf984531f7fa0310fa5f63b62e7e092502fd6663fd5892bdf93439ee81
                                  • Instruction Fuzzy Hash: BFC1AD74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D409AB355DB359E81CF51
                                  Function 065FA7C8 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b43e6954f1cbd0c2fabe5dead04f676da5dc92ab24a251b262a1d09b5a73223
                                  • Instruction ID: 77741cd08dce72efc1add7d4fd9d37730236054294b5f4fd48b1125b35d7a8a2
                                  • Opcode Fuzzy Hash: 0b43e6954f1cbd0c2fabe5dead04f676da5dc92ab24a251b262a1d09b5a73223
                                  • Instruction Fuzzy Hash: 92C1AD74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D409AB355DB359E85CF51
                                  Function 065FCBC0 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07789047b41126b78d7a09857bc1b812efe426cbaef65fe4b8d52a869f8df8d1
                                  • Instruction ID: fe68750c6e2a2d8e129eca058862a130bd1ba6c0f7997058dcdae8a1b4f5b645
                                  • Opcode Fuzzy Hash: 07789047b41126b78d7a09857bc1b812efe426cbaef65fe4b8d52a869f8df8d1
                                  • Instruction Fuzzy Hash: EAC19E74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065F2BF0 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7db75a233625db47df8a9c606215c30eaeda261ce8843ae029ec5b1996211f94
                                  • Instruction ID: a22b7f0e9599c0cdafa78eb9c3dd504024a5113fdbcf8c93e0f8ab23cb06dc07
                                  • Opcode Fuzzy Hash: 7db75a233625db47df8a9c606215c30eaeda261ce8843ae029ec5b1996211f94
                                  • Instruction Fuzzy Hash: 5AC19E74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065F2798 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ccc60c70a32bc3a47e05d74018c38e54b9af493828b628fdafcd70e77f2ab9d3
                                  • Instruction ID: f9c8969f825e952575b35214a1501196b918d5eb238988f26183ef775cba1e3d
                                  • Opcode Fuzzy Hash: ccc60c70a32bc3a47e05d74018c38e54b9af493828b628fdafcd70e77f2ab9d3
                                  • Instruction Fuzzy Hash: 0DC1AF74E01218CFEB54DFA5C984B9DBBB2BF89300F2081A9D409AB355DB359E81CF50
                                  Function 065FB078 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb4a5fc49866b9c3142198333f52cce0d8be77aedde416e8b915c07e57522c1b
                                  • Instruction ID: 657578dd580a32fb3d0ab7da1d0f7ec0e921826b620cefcbd080761a4507bc85
                                  • Opcode Fuzzy Hash: fb4a5fc49866b9c3142198333f52cce0d8be77aedde416e8b915c07e57522c1b
                                  • Instruction Fuzzy Hash: D9C19D74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FD470 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b12db9c2c0b11fe6a4386ccd0d8a6d3409f1bca9d205ef4f054a2923fac58430
                                  • Instruction ID: b47e98797565fa4c5b6b75a523619d723f416d1fcb73d4975cf80d5214c91339
                                  • Opcode Fuzzy Hash: b12db9c2c0b11fe6a4386ccd0d8a6d3409f1bca9d205ef4f054a2923fac58430
                                  • Instruction Fuzzy Hash: 93C19D75E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FD018 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 87640093c80acd86e4f27b375479da56c22ecdde0e575d3275952329a6392cf8
                                  • Instruction ID: 9b85fa18d99c2d6813d773e4afd29a1af277df910135d8b6c67fce394547515c
                                  • Opcode Fuzzy Hash: 87640093c80acd86e4f27b375479da56c22ecdde0e575d3275952329a6392cf8
                                  • Instruction Fuzzy Hash: 38C19F74E01218CFEB54DFA5C994BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FAC20 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3047ba0f854f4e121e74a66e3c03d8f77e8d3d6752e267033a31f59c3c499a2
                                  • Instruction ID: c011584d30bdf271ec986b327f9c489aa825d930beebbe0fde2d89e5c6dfcc37
                                  • Opcode Fuzzy Hash: b3047ba0f854f4e121e74a66e3c03d8f77e8d3d6752e267033a31f59c3c499a2
                                  • Instruction Fuzzy Hash: 52C1AE74E01218CFEB54DFA5C984BADBBB2BF88300F2081A9D409AB355DB359E85CF51
                                  Function 065FB4D0 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de4d06ee109560417cfae7369a561dc24731d2d5982dc6001d9058bf269c2e8c
                                  • Instruction ID: ca01d98839b707ac4c162c827280aed075c8a319a38bce92c8226ccbb178a2ca
                                  • Opcode Fuzzy Hash: de4d06ee109560417cfae7369a561dc24731d2d5982dc6001d9058bf269c2e8c
                                  • Instruction Fuzzy Hash: 51C19D74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FD8C8 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a96762be160e0c8cb3c19a20de3c52fa284ecc07771ed70e4f661d30e726598
                                  • Instruction ID: 02d0f3261203195c6ae9f6699599b6896f408ff499a2407d38dd6a36dae89ff2
                                  • Opcode Fuzzy Hash: 2a96762be160e0c8cb3c19a20de3c52fa284ecc07771ed70e4f661d30e726598
                                  • Instruction Fuzzy Hash: 6AC1AF74E01218CFEB54DFA5C994BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FE178 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b37dedd4ddcaabc14322237020b0ff54a8f7a2a50139502e5d509484770920f6
                                  • Instruction ID: d0f0da3f8c042bcdc58c4e4fb3f564a5c7d39138c9e1aab8353774d13561d6c9
                                  • Opcode Fuzzy Hash: b37dedd4ddcaabc14322237020b0ff54a8f7a2a50139502e5d509484770920f6
                                  • Instruction Fuzzy Hash: 25C19074E01218CFDB54DFA5C984BADBBB2BF89300F2081A9D409AB365DB359E85CF50
                                  Function 065F8960 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6197eeabe808d549b2ce34f38066ca6a8fb1979623e1ece79b6475e42c75ec21
                                  • Instruction ID: 176e860b432ab8256a9a16780e1f4d5bedc330f3562337b8f3989dc076c97717
                                  • Opcode Fuzzy Hash: 6197eeabe808d549b2ce34f38066ca6a8fb1979623e1ece79b6475e42c75ec21
                                  • Instruction Fuzzy Hash: 87C18D74E01218CFEB54DFA5C984B9DBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FB928 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 742ead574e9fd7bdb5b2e38a59cad587929b3d69341120a924d69594f69d30d7
                                  • Instruction ID: 8d9b624e43bad5bdaf8a623457d4b5fd7a2ac4ab4809d5f968ba3cf154e6beff
                                  • Opcode Fuzzy Hash: 742ead574e9fd7bdb5b2e38a59cad587929b3d69341120a924d69594f69d30d7
                                  • Instruction Fuzzy Hash: 24C1BD74E00218CFEB54DFA5C984BADBBB2BF88300F2081A9D409AB355DB359E85CF50
                                  Function 065FDD20 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 606be9222f087f4080d67c177219cace2273ce92c00ceac011bf05b50d8f403a
                                  • Instruction ID: 1d4fb5d020a1c17f93abce69c4df4e460c86b8ab7fe7264bbe2a33b0d623c130
                                  • Opcode Fuzzy Hash: 606be9222f087f4080d67c177219cace2273ce92c00ceac011bf05b50d8f403a
                                  • Instruction Fuzzy Hash: 66C19D74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065FC1D8 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c847d847fdef1856ed697ba1f17b0a7e6a766eeb4d34fd085ea5fdbda7ba817f
                                  • Instruction ID: 21c120c2efb7bf9f633a597b614e441f646045e400f60d91766c774ec6757274
                                  • Opcode Fuzzy Hash: c847d847fdef1856ed697ba1f17b0a7e6a766eeb4d34fd085ea5fdbda7ba817f
                                  • Instruction Fuzzy Hash: F1C17C74E01218CFEB54DFA5C994BADBBB2BF89300F2081A9D409AB355DB359E85CF50
                                  Function 065FE5D0 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ce2e44c7659c4208d846acfe7c5843e2e60ec427264bdabee059a2214f75a48
                                  • Instruction ID: 9c46522b028fde485eee9735cbd08165142a7eabca8cc2d726d2d2b9085a0850
                                  • Opcode Fuzzy Hash: 1ce2e44c7659c4208d846acfe7c5843e2e60ec427264bdabee059a2214f75a48
                                  • Instruction Fuzzy Hash: 00C19F74E01218CFEB54DFA5C984B9DBBB2BF89300F2081A9D509AB365DB355E85CF50
                                  Function 065FBD80 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0938a56ca74b55af2fe0bba3de31c1e78ae0889fdac34cf727c9e0ba42d02957
                                  • Instruction ID: b81c75e3499eadb86883f78b093d7d8b754a2079b93eefea3f3bee74a483ae27
                                  • Opcode Fuzzy Hash: 0938a56ca74b55af2fe0bba3de31c1e78ae0889fdac34cf727c9e0ba42d02957
                                  • Instruction Fuzzy Hash: 76C1AE74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065F8DB8 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e6d73db75de9d027e46264049b8828ad24a17be271098a713266efbb94df500
                                  • Instruction ID: ff0ded73eb16cc031e8c9c5ed1c690957b4afa71c05d6771a73fa07c9b72a32f
                                  • Opcode Fuzzy Hash: 3e6d73db75de9d027e46264049b8828ad24a17be271098a713266efbb94df500
                                  • Instruction Fuzzy Hash: C6C19D74E01218CFEB54DFA5C984BADBBB2BF89300F2081A9D509AB355DB359E85CF50
                                  Function 065F87D8 Relevance: .2, Instructions: 226COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1821b2188737c7083943f87a3786011a4f1aaf8c020ec9adec3a57c7fa0d70e1
                                  • Instruction ID: 2c1243feeefa33e15f7ebb4688494259912d3f5e71cfc82df9d14ef6e50e3317
                                  • Opcode Fuzzy Hash: 1821b2188737c7083943f87a3786011a4f1aaf8c020ec9adec3a57c7fa0d70e1
                                  • Instruction Fuzzy Hash: 07912771E00259CFDB54CFAAC584AAEBBB2BF84310F15C469D919AB365DB30E841CF51
                                  Function 00402B90 Relevance: .2, Instructions: 212COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                  • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                                  • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                  • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                                  Function 004028B0 Relevance: .2, Instructions: 184COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                  • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                                  • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                  • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                                  Function 02CE1199 Relevance: .2, Instructions: 164COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3374240766.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2ce0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b28c035aaf652cb23768f350de75a7c6a9b82321b5c46227e3d7ebc763ed2640
                                  • Instruction ID: 1241ccae4144409048b1aaf70080ad52e1035f9dc9666406061652fc5993035d
                                  • Opcode Fuzzy Hash: b28c035aaf652cb23768f350de75a7c6a9b82321b5c46227e3d7ebc763ed2640
                                  • Instruction Fuzzy Hash: AF61EC71E01249DBDB48DF6AE990A9EFBF7EBC4340F14C569D005AB268DBB45C46CB40
                                  Function 02CE11A8 Relevance: .2, Instructions: 160COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3374240766.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2ce0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 635f5706d28702a66a96a3b42e812b960d62efd51fdd46b27562d9c0c841a050
                                  • Instruction ID: 2fa23a1553002dad94b08a3b1398491c82301d32e2f8b0d56b4c76159091bfa1
                                  • Opcode Fuzzy Hash: 635f5706d28702a66a96a3b42e812b960d62efd51fdd46b27562d9c0c841a050
                                  • Instruction Fuzzy Hash: DA61FC71E01249DBDB48DF6AE890A9EFBF7EBC4340F14C569D005AB268DBB45C45CB40
                                  Function 02CE1448 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3374240766.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2ce0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7efad0b4727a074d64c21a3e6512ac13f051fe92397a7040ac5d1e80d17dd63
                                  • Instruction ID: fe979a8e549af797031eb567a7e4183cf57c468ac3b6eac841d0f0b6c3a4f4a7
                                  • Opcode Fuzzy Hash: b7efad0b4727a074d64c21a3e6512ac13f051fe92397a7040ac5d1e80d17dd63
                                  • Instruction Fuzzy Hash: DC514BB1D056588BEB68CF6B8D442CAFAF7AFC8340F14C1FA954DA6214DBB40AC18F40
                                  Function 02CEDA80 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3374240766.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2ce0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef551161ceda933897e9b40a155b1fe29cd534a6fe0d00bd4b13811915979016
                                  • Instruction ID: 68d770e6661c863af3b853418e8e6565d44831966c6b31efad06ac32b7d2a559
                                  • Opcode Fuzzy Hash: ef551161ceda933897e9b40a155b1fe29cd534a6fe0d00bd4b13811915979016
                                  • Instruction Fuzzy Hash: 9D41FFB4D003499FDF14CFA9D984B9EBBF5BF49304F209129E816AB250E7749985CF84
                                  Function 02CE1437 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3374240766.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_2ce0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8525024cf3ccf17b9e4ccbaeefa11e6971bd07a16bf316c7d4e6b45d6fd8aca
                                  • Instruction ID: 94fb8f120163a8004f94fa91c9ada9d3a658528f36c8a635adba62b949956280
                                  • Opcode Fuzzy Hash: b8525024cf3ccf17b9e4ccbaeefa11e6971bd07a16bf316c7d4e6b45d6fd8aca
                                  • Instruction Fuzzy Hash: AA512FB5D056588BEB6CCF6B8D446CAFAF3AFC8300F14C1FA944CA6214DB700AC68E41
                                  Function 065F2333 Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f78925856a277e91910e46f4665ade704263e33ebf095b3c29ba85955debb17
                                  • Instruction ID: c0ae09dfbf2ed5e1629ce616d9aa7e3b428c49950ef422701dc87632420dde24
                                  • Opcode Fuzzy Hash: 8f78925856a277e91910e46f4665ade704263e33ebf095b3c29ba85955debb17
                                  • Instruction Fuzzy Hash: E741F5B1E01248CBEB58DFEAD8546ADFBB2BF89300F20D129C518BB254EB345A45CF50
                                  Function 065FD008 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6df336ea44f51c36b741ad9eb7c4ba6092c063359c9a2314663653a1a6f224da
                                  • Instruction ID: d0d3f6e05cf423ed78529114c10b760a8b69f916621916e7d4a00c011b417470
                                  • Opcode Fuzzy Hash: 6df336ea44f51c36b741ad9eb7c4ba6092c063359c9a2314663653a1a6f224da
                                  • Instruction Fuzzy Hash: 4A41E570E01248CBEB58CFAAD8546EEBBB6BF88310F24C129C414BB254EB755946CF50
                                  Function 065FB919 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15901b1ed3e9331c7b99cfde0f6a11620ce92e3987a11c61aadef476d3b20951
                                  • Instruction ID: bd6530569f53006cecf59e93b7c71810766d571a46138bced482d0a95daa115e
                                  • Opcode Fuzzy Hash: 15901b1ed3e9331c7b99cfde0f6a11620ce92e3987a11c61aadef476d3b20951
                                  • Instruction Fuzzy Hash: 0E4126B0E01248CBEB18CFAAD8447EEBBB6BF88310F24C129C414AB254EB344946CF50
                                  Function 065FE5C0 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbf21bee1ff851de6a458c7c2d821752be556bc386bbfa808085358f1af9a89e
                                  • Instruction ID: fd980a645ee91c4929328822ce1dfbe87621a4e4828c7fb1cec470a1358b6374
                                  • Opcode Fuzzy Hash: fbf21bee1ff851de6a458c7c2d821752be556bc386bbfa808085358f1af9a89e
                                  • Instruction Fuzzy Hash: 2E41F875E01248DBDB58DFAAD9456EEFBB6BF88300F24C12AD414BB264EB344946CF50
                                  Function 065FC1C8 Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff91737374cbfe8c016bb9b6978478b0302f26f3226b008b1c75742dedfb0800
                                  • Instruction ID: 1555e23bcc2047a2e08f3bc72a1e8494af674a263bb22fc55508ad8e8023d964
                                  • Opcode Fuzzy Hash: ff91737374cbfe8c016bb9b6978478b0302f26f3226b008b1c75742dedfb0800
                                  • Instruction Fuzzy Hash: 8C4102B0E0124CDBEB58CFAAD8446EEBBB2BF89300F20D129D415BB254EB354946CF50
                                  Function 065F9F08 Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 917849a2ab2bb984d8cb4554d9bbe470224c4d9c7a1b4350b38af9ab98996dfd
                                  • Instruction ID: 023c598682b4607c8557e3b954f798bfe0c09ac92b2d1a9dcecae08c1e209f31
                                  • Opcode Fuzzy Hash: 917849a2ab2bb984d8cb4554d9bbe470224c4d9c7a1b4350b38af9ab98996dfd
                                  • Instruction Fuzzy Hash: 0B41E370E01248CBEB58CFAAD9546EEBBF2BF89300F24C129C419AB255EB355946CF50
                                  Function 065FEA19 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2241d12f339f649b34e1f88c30b31b01d0fa456ce9210ec6f9e174de9e6f3eb6
                                  • Instruction ID: 15ec88085590c0214bc258d88ad76d725b60f9a489e27c9df50f2a8b74c73964
                                  • Opcode Fuzzy Hash: 2241d12f339f649b34e1f88c30b31b01d0fa456ce9210ec6f9e174de9e6f3eb6
                                  • Instruction Fuzzy Hash: 5241E574E01248DFEB58CFAAD4556EEFBB2BF88300F24D129C515AB264EB345946CF50
                                  Function 065FC758 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2888626513606226c409a404012fd7c7701114d85c830890a40eae75e855d361
                                  • Instruction ID: 54f86d685f31e3750ee5129926b915b2228c2c9f738b76eee4534769c0994a0b
                                  • Opcode Fuzzy Hash: 2888626513606226c409a404012fd7c7701114d85c830890a40eae75e855d361
                                  • Instruction Fuzzy Hash: 3741E575E01248CBEB58CFEAD4546EEFBB2BF89300F24C129C418AB255DB344946CF50
                                  Function 065FA360 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e16621f6d7537712a1e2bf34b11a4f7e8f68a8e5c4aca12b6a54f73146fb776
                                  • Instruction ID: 97ac4e0185f7bcd75935a8f0d3b9f9124abd134c4f92aea735f0483e3c97d58a
                                  • Opcode Fuzzy Hash: 4e16621f6d7537712a1e2bf34b11a4f7e8f68a8e5c4aca12b6a54f73146fb776
                                  • Instruction Fuzzy Hash: 1B41F6B4E01248DBEF58DFAAD9446DEFBB6BF88300F20C129C418AB254EB355941CF55
                                  Function 065FB06A Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9bc0e2a0bb5fc1d9032ffe751c615882b357efafb4126e48c00c6aaf7557b2e4
                                  • Instruction ID: 4da5aa3cef5f95a7c37c4192251beacd76f167ad06b51f813fe166779b79b525
                                  • Opcode Fuzzy Hash: 9bc0e2a0bb5fc1d9032ffe751c615882b357efafb4126e48c00c6aaf7557b2e4
                                  • Instruction Fuzzy Hash: 8141F5B0E01248CBEB58DFAAC9546EEFBB2BF88300F24C129C415BB255EB355946CF50
                                  Function 065FD461 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02318022f2159e9751e8286f882da18152feaf9157544334fc2dc21a194c0e80
                                  • Instruction ID: 965513e7e828ff714985fb4d8e750af814297ac5ccc7860caadae759967904b9
                                  • Opcode Fuzzy Hash: 02318022f2159e9751e8286f882da18152feaf9157544334fc2dc21a194c0e80
                                  • Instruction Fuzzy Hash: 9441F6B4E01248CBDB58DFAAD5447EEFBB2BF88300F24D129C414AB254EB355946CF50
                                  Function 065FD8B9 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca1db24c07a52042e1cbb922485e3c65c4e77aa864d631452953deda46db7b11
                                  • Instruction ID: b56123680d6cf672de7504a4d90b396508e5cf13c577dba1e9c1ba2b25241524
                                  • Opcode Fuzzy Hash: ca1db24c07a52042e1cbb922485e3c65c4e77aa864d631452953deda46db7b11
                                  • Instruction Fuzzy Hash: CD41D5B1E01248CBEB58DFAAD5546EEFBB2BF88300F24C129C414AB258EB354946CF50
                                  Function 065FDD10 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d7db51df02bf27e93ed81cffaaa80b5f434f2927cc8c98acf1000bacd96dd92d
                                  • Instruction ID: 7ad1357a7e2495cce82054b0fb32525e3792208a4c99b27179d2a53ee55c2bd1
                                  • Opcode Fuzzy Hash: d7db51df02bf27e93ed81cffaaa80b5f434f2927cc8c98acf1000bacd96dd92d
                                  • Instruction Fuzzy Hash: 70410570E01248CBEB18CFAAC8447EEFBB2BF89300F24C129C418AB254DB354946CF50
                                  Function 00402F20 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                  • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                                  • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                  • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                                  Function 065FEE70 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f292274bae55deb865870c25a731b7f700e5ce653a316d8756da556cd09d95f
                                  • Instruction ID: 0e152613219c826ac8eb43c232d87f34038f606b6ad1382fdc1a7cf373c1427a
                                  • Opcode Fuzzy Hash: 1f292274bae55deb865870c25a731b7f700e5ce653a316d8756da556cd09d95f
                                  • Instruction Fuzzy Hash: B841D2B4E01248DBEF58DFAAD9546EEBBB2BF88300F24C129C415BB254EB354946CF50
                                  Function 065FA7B8 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5699d958f0b59bd0637d8fd953eff9bbf2bfe5c2b63fe22221d01af7e4f1ad17
                                  • Instruction ID: d410c550001b7229cc615b62625884c3865c128085f78406ffec53788857a54c
                                  • Opcode Fuzzy Hash: 5699d958f0b59bd0637d8fd953eff9bbf2bfe5c2b63fe22221d01af7e4f1ad17
                                  • Instruction Fuzzy Hash: 4141E370E01248CBEB58DFAAD5546EEFBF2BF89300F24D12AC419AB255DB354946CF50
                                  Function 065FCBB1 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8cd157364ee2899dcc19ccc8bc76398161eb3f4fb0307495e3d8480571c41811
                                  • Instruction ID: 3da0336a00e77dd0a8ec04f855ec4276f0206153238a2354927c75044594e192
                                  • Opcode Fuzzy Hash: 8cd157364ee2899dcc19ccc8bc76398161eb3f4fb0307495e3d8480571c41811
                                  • Instruction Fuzzy Hash: F741C271E01248CBEB58DFAAC9546EEFBB2BF89300F24C129D415BB254EB354946CF50
                                  Function 065FB4C0 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dacd5fdd96e42fdc23f54b45cec846f0718a787fadaa1992dfa2674753e2d99d
                                  • Instruction ID: f61f18109782fd146cbed5f6ae8186ada4fe50659f968815829d72124ee05cc6
                                  • Opcode Fuzzy Hash: dacd5fdd96e42fdc23f54b45cec846f0718a787fadaa1992dfa2674753e2d99d
                                  • Instruction Fuzzy Hash: DD41D3B4E01249CBEB18DFAAD9546DEFBF2BF88300F24C129C415AB255EB395946CF50
                                  Function 065FBD71 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8af284d206dd8b33f7d2618e4535e64f5f7cf4ddb7ee137d37ee16b03006e709
                                  • Instruction ID: 8fd70e923df159355beaebab37bd0eaea8b9403e10e358f3907225aafe5476a4
                                  • Opcode Fuzzy Hash: 8af284d206dd8b33f7d2618e4535e64f5f7cf4ddb7ee137d37ee16b03006e709
                                  • Instruction Fuzzy Hash: B941F574E01248CFEB58DFAAC9546EEFBB2BF89300F24D129C418AB255EB355946CF50
                                  Function 065FE169 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36cdc8e350693d55eb6809be087557156dbf67afd247f09b4949e609c33ba7db
                                  • Instruction ID: 7220c437f66a51f125b983bcdb265cd8aebe4bc4560b761bb8e3492fd291159e
                                  • Opcode Fuzzy Hash: 36cdc8e350693d55eb6809be087557156dbf67afd247f09b4949e609c33ba7db
                                  • Instruction Fuzzy Hash: AC41F670E01248DBEB58DFAAD9456EEBBB2BF89300F24C129C415BB264EB354946CF50
                                  Function 065F9AB0 Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ffb5cc38f6817cdf316ac0bc7e06f85b629e83b3ea7915e50d8d72d7ae6c8095
                                  • Instruction ID: ab3ea0c56e0bf5b1a19eab291e0cbe838d89c21df4c8011a0dbcbf0e69fd8ee1
                                  • Opcode Fuzzy Hash: ffb5cc38f6817cdf316ac0bc7e06f85b629e83b3ea7915e50d8d72d7ae6c8095
                                  • Instruction Fuzzy Hash: E441E270E01648CBEB58DFAAC5447EEBBF2BF89300F24C12AC418AB254EB344946CF40
                                  Function 065F1A80 Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06bff5eeb405562c6c2440232c9bad36d2eb482d08e83fe4b9888d42c7cdaa20
                                  • Instruction ID: b985e44bd4c49d88f9a630eaf78419a6b928da86ac0e09bb9e975e0056c54e92
                                  • Opcode Fuzzy Hash: 06bff5eeb405562c6c2440232c9bad36d2eb482d08e83fe4b9888d42c7cdaa20
                                  • Instruction Fuzzy Hash: F941F374E01648CBEB58DFAAC5546EEFBB2BF89300F24C12AC415AB254EB384946CF40
                                  Function 065F9659 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86c3e3df2ac2724ac7a25e0979807eeb1d3044cee06df8d0c1fb1723a72f2e0e
                                  • Instruction ID: eed03167f099ef91e83d0cd4048b104872f1bfe64413d2a21ed8b42a806b76a9
                                  • Opcode Fuzzy Hash: 86c3e3df2ac2724ac7a25e0979807eeb1d3044cee06df8d0c1fb1723a72f2e0e
                                  • Instruction Fuzzy Hash: 1541D270E01648CBEB58DFAAD9447AEBBF2BF89300F24C129C418AB254EB345946CF50
                                  Function 065F9200 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 227a79e39c89012f8a874e775dcc38c89bc7cafb45d9b2512c2b5fa5ececdd2a
                                  • Instruction ID: 2b4dc079e46f21f484ddd7d8b64f783ccbb8b0f4e459b4c512e5fc30c7e2c9e9
                                  • Opcode Fuzzy Hash: 227a79e39c89012f8a874e775dcc38c89bc7cafb45d9b2512c2b5fa5ececdd2a
                                  • Instruction Fuzzy Hash: B641D5B0E01648CBEF58DFAAD5547ADFBB2BF89300F24D129C415AB254DB354946CF50
                                  Function 065F1628 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e209ea3dc6bb0dee208471c49034e28591b12a79d1cb9e4cf574f1f1a34248db
                                  • Instruction ID: 399847eb21d4f44c512d9db834c4a2790d74f7f32e43f5d0c32105bf829668d0
                                  • Opcode Fuzzy Hash: e209ea3dc6bb0dee208471c49034e28591b12a79d1cb9e4cf574f1f1a34248db
                                  • Instruction Fuzzy Hash: FA41E470E01648CBEB58DFAAD5546EEFBF2BF89300F24C12AC418AB254EB355946CF50
                                  Function 065F2789 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4be685f6f5693589696a2aafb0612edc3ded71def810174f38c726f97d7a6301
                                  • Instruction ID: 3179f1b51c3c9082efa770df7e269d4a3ce47dbcf4a87b476ccbe392e10403c5
                                  • Opcode Fuzzy Hash: 4be685f6f5693589696a2aafb0612edc3ded71def810174f38c726f97d7a6301
                                  • Instruction Fuzzy Hash: 4441C5B1E01248CBEB58DFEAD5546EEFBB2BF89300F24C129C415AB255DB394946CF50
                                  Function 065FAC19 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0fe1d8f5c9cbcd20bd70c436a041c459bdaeb3f98fcd8f564030aea71b4cfef4
                                  • Instruction ID: abecb42258f4ef694c228c405b8f0f0f9b41c774aa921e6044a52366e9900834
                                  • Opcode Fuzzy Hash: 0fe1d8f5c9cbcd20bd70c436a041c459bdaeb3f98fcd8f564030aea71b4cfef4
                                  • Instruction Fuzzy Hash: CC41C474E01248CBEF58DFAAD5546EEFBB2BF88300F24D12AC419AB254EB355946CF50
                                  Function 065F8DA8 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f083c3619bd5af50b7129ee0dde3c624bcccd5505ad28b1e9acf590c3946333f
                                  • Instruction ID: 8743bafbb7038136c8bf7144493e461c1aef56af7defd8446aa78644298cfa7f
                                  • Opcode Fuzzy Hash: f083c3619bd5af50b7129ee0dde3c624bcccd5505ad28b1e9acf590c3946333f
                                  • Instruction Fuzzy Hash: 0741D571E01249CBEB58DFAAD95479EFBF2BF89300F24C12AC418AB254EB355946CF50
                                  Function 065F1EDB Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e92035b552d68612fad72f3e7472faf0bafa08968895083f273d5ce09379222c
                                  • Instruction ID: 03250d2f289722adf27824dbe25a5ef27afd1d345b465da711c300ccc3ccbc3f
                                  • Opcode Fuzzy Hash: e92035b552d68612fad72f3e7472faf0bafa08968895083f273d5ce09379222c
                                  • Instruction Fuzzy Hash: CC41E5B1E01248CBEB58DFEAD95469EFBF2BF89300F24C12AC414AB254EB355946CF54
                                  Function 065F2BE0 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ee5af57b1882e48fbc208ecd457ad500f384774fb53275e2939e64862693c2a
                                  • Instruction ID: f01279ec527d454003a2423f1962667462be8c5afed3b48fef08ae67e199c840
                                  • Opcode Fuzzy Hash: 7ee5af57b1882e48fbc208ecd457ad500f384774fb53275e2939e64862693c2a
                                  • Instruction Fuzzy Hash: FD41D5B1E01248CBEB58DFEAD5546EEFBB2BF89300F24C12AC415AB254DB354946CF50
                                  Function 00402F89 Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                  • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                                  • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                  • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                                  Function 065F0E10 Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5158b90ecdf73fab732cbb689cefc6065e5cc429c8de83b3bd26d39b2366dce2
                                  • Instruction ID: 76bf48984ad80e15fb2a6ff0005bee29bb3c0551bcfec4f3691bb63dd3f3e93e
                                  • Opcode Fuzzy Hash: 5158b90ecdf73fab732cbb689cefc6065e5cc429c8de83b3bd26d39b2366dce2
                                  • Instruction Fuzzy Hash: FA21BBB9D052198FDB10CF99D984AEEBBF1FB49320F24A05AE918B3350C375A945CF64
                                  Function 065F0E18 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3379410910.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_65f0000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6ac5fbf36f7d140349991af578b9a10dc60c9cf090b548702ab8b5c3b146c9f
                                  • Instruction ID: 977deefc074e7eac52f55d193d3ef60b736ef67fa2621924cc034e6a7724b98a
                                  • Opcode Fuzzy Hash: b6ac5fbf36f7d140349991af578b9a10dc60c9cf090b548702ab8b5c3b146c9f
                                  • Instruction Fuzzy Hash: FC21B9B5D012188FDB10CF99D984ADEBBF4BB49320F24A01AE908B3310C375A905CFA4
                                  Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                  • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,02B518E8), ref: 004170C5
                                  • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                  • _malloc.LIBCMT ref: 0041718A
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                  • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                  • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                  • _malloc.LIBCMT ref: 0041724C
                                  • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                  • __freea.LIBCMT ref: 004172A4
                                  • __freea.LIBCMT ref: 004172AD
                                  • ___ansicp.LIBCMT ref: 004172DE
                                  • ___convertcp.LIBCMT ref: 00417309
                                  • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                  • _malloc.LIBCMT ref: 00417362
                                  • _memset.LIBCMT ref: 00417384
                                  • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                  • ___convertcp.LIBCMT ref: 004173BA
                                  • __freea.LIBCMT ref: 004173CF
                                  • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                  • String ID:
                                  • API String ID: 3809854901-0
                                  • Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                  • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                  • Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
                                  • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                  Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 004057DE
                                    • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                    • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                    • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4
                                  • _malloc.LIBCMT ref: 00405842
                                  • _malloc.LIBCMT ref: 00405906
                                  • _malloc.LIBCMT ref: 00405930
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: _malloc$AllocateHeap
                                  • String ID: 1.2.3
                                  • API String ID: 680241177-2310465506
                                  • Opcode ID: c570c295d08e1278c666361c79f0e649fdcc2be65710f163d48a412025f04fa0
                                  • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                  • Opcode Fuzzy Hash: c570c295d08e1278c666361c79f0e649fdcc2be65710f163d48a412025f04fa0
                                  • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                  Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                  • String ID:
                                  • API String ID: 3886058894-0
                                  • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                  • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                  • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                  • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                  Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock_file.LIBCMT ref: 0040C6C8
                                  • __fileno.LIBCMT ref: 0040C6D6
                                  • __fileno.LIBCMT ref: 0040C6E2
                                  • __fileno.LIBCMT ref: 0040C6EE
                                  • __fileno.LIBCMT ref: 0040C6FE
                                    • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                    • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                  • String ID: 'B
                                  • API String ID: 2805327698-2787509829
                                  • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                  • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                  • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                  • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                  Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00414744
                                    • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                    • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                  • __getptd.LIBCMT ref: 0041475B
                                  • __amsg_exit.LIBCMT ref: 00414769
                                  • __lock.LIBCMT ref: 00414779
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                  • String ID: @.B
                                  • API String ID: 3521780317-470711618
                                  • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                  • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                  • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                  • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                  Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00413FD8
                                    • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                    • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                  • __amsg_exit.LIBCMT ref: 00413FF8
                                  • __lock.LIBCMT ref: 00414008
                                  • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                  • InterlockedIncrement.KERNEL32(02B51688), ref: 00414050
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                  • String ID:
                                  • API String ID: 4271482742-0
                                  • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                  • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                  • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                  • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                  Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: __calloc_crt
                                  • String ID: P$B$`$B
                                  • API String ID: 3494438863-235554963
                                  • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                  • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
                                  • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                  • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
                                  Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                  • API String ID: 1646373207-3105848591
                                  • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                  • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                  • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                  • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                  Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___addlocaleref.LIBCMT ref: 0041470C
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
                                  • ___removelocaleref.LIBCMT ref: 00414717
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
                                  • ___freetlocinfo.LIBCMT ref: 0041472B
                                    • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
                                    • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
                                    • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                  • String ID: @.B
                                  • API String ID: 467427115-470711618
                                  • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                  • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
                                  • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                  • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
                                  Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __fileno.LIBCMT ref: 0040C77C
                                  • __locking.LIBCMT ref: 0040C791
                                    • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                    • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                  • String ID:
                                  • API String ID: 2395185920-0
                                  • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                  • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                  • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                  • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                  Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: _fseek_malloc_memset
                                  • String ID:
                                  • API String ID: 208892515-0
                                  • Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                  • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                  • Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
                                  • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                  Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                  Download Yara Rule
                                  APIs
                                  • __flush.LIBCMT ref: 0040BB6E
                                  • __fileno.LIBCMT ref: 0040BB8E
                                  • __locking.LIBCMT ref: 0040BB95
                                  • __flsbuf.LIBCMT ref: 0040BBC0
                                    • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                    • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                  • String ID:
                                  • API String ID: 3240763771-0
                                  • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                  • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                  • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                  • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                  Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                  • __isleadbyte_l.LIBCMT ref: 00415307
                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                  • String ID:
                                  • API String ID: 3058430110-0
                                  • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                  • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                  • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                  • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                  Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3372565036.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.3372565036.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000422000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  • Associated: 00000005.00000002.3372565036.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                  • String ID:
                                  • API String ID: 3016257755-0
                                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                  • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                  • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                  Execution Graph

                                  Execution Coverage:6.3%
                                  Dynamic/Decrypted Code Coverage:62.1%
                                  Signature Coverage:24.1%
                                  Total number of Nodes:29
                                  Total number of Limit Nodes:1
                                  execution_graph 12777 4019f0 OleInitialize 12778 401ab9 12777->12778 12779 401ad3 CreateToolhelp32Snapshot Module32First 12778->12779 12780 401dc3 CloseHandle 12779->12780 12782 401c55 12779->12782 12783 401dd1 12780->12783 12781 401c9c 12782->12780 12782->12781 12784 401870 12785 40187c 12784->12785 12786 4018a4 12785->12786 12787 401885 SysAllocString 12785->12787 12787->12786 12757 3140d78 12758 3140d84 12757->12758 12759 3140d8f 12758->12759 12761 314509c 12758->12761 12762 31450a3 12761->12762 12763 31415d5 12762->12763 12765 314ede8 12762->12765 12766 314edfa 12765->12766 12769 314ee28 12766->12769 12770 314ee4c 12769->12770 12773 314ef30 12770->12773 12774 314ef74 CloseHandle 12773->12774 12776 314ee09 12774->12776 12776->12763 12788 314eb48 12789 314eb6f 12788->12789 12792 314ec60 12789->12792 12793 314eca9 VirtualProtect 12792->12793 12795 314ec3e 12793->12795

                                  Executed Functions

                                  Function 004019F0 Relevance: 66.9, APIs: 4, Strings: 34, Instructions: 417comprocessCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 4019f0-401c4f OleInitialize call 401650 CreateToolhelp32Snapshot Module32First 5 401dc3-401ec4 CloseHandle call 401650 0->5 6 401c55-401c6c call 401650 0->6 40 401ecb-401ed4 5->40 10 401c73-401c77 6->10 12 401c93-401c95 10->12 13 401c79-401c7b 10->13 17 401c98-401c9a 12->17 15 401c7d-401c83 13->15 16 401c8f-401c91 13->16 15->12 20 401c85-401c8d 15->20 16->17 18 401cb0-401cce call 401650 17->18 19 401c9c-401caf 17->19 26 401cd0-401cd4 18->26 20->10 20->16 28 401cf0-401cf2 26->28 29 401cd6-401cd8 26->29 32 401cf5-401cf7 28->32 30 401cda-401ce0 29->30 31 401cec-401cee 29->31 30->28 34 401ce2-401cea 30->34 31->32 32->19 35 401cf9-401d09 32->35 34->26 34->31 35->5 38 401d0f 35->38 39 401d10-401d2e call 401650 38->39 46 401d30-401d34 39->46 42 401ed6-401eed 40->42 43 401eef 40->43 45 401ef3-401f1a call 401300 42->45 43->45 58 401f1c-401f2f 45->58 59 401f5f-401f69 45->59 49 401d50-401d52 46->49 50 401d36-401d38 46->50 54 401d55-401d57 49->54 52 401d3a-401d40 50->52 53 401d4c-401d4e 50->53 52->49 56 401d42-401d4a 52->56 53->54 54->19 57 401d5d-401d7b call 401650 54->57 56->46 56->53 68 401d80-401d84 57->68 61 401f33-401f5d call 401560 58->61 62 401f73-401f75 59->62 63 401f6b-401f72 59->63 61->59 66 401f92-401ff1 62->66 67 401f77-401f8d call 401560 62->67 63->62 67->66 71 401da0-401da2 68->71 72 401d86-401d88 68->72 75 401da5-401da7 71->75 73 401d8a-401d90 72->73 74 401d9c-401d9e 72->74 73->71 77 401d92-401d9a 73->77 74->75 75->19 78 401dad-401dbd 75->78 77->68 77->74 78->5 78->39
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 004019FD
                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                  • Module32First.KERNEL32 ref: 00401C48
                                  • CloseHandle.KERNELBASE(00000000), ref: 00401DC4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3372570356.0000000000401000.00000040.80000000.00040000.00000000.sdmp, Offset: 00401000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_401000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: CloseCreateFirstHandleInitializeModule32SnapshotToolhelp32
                                  • String ID: !$"$#$'$*$.$0$4$4$4$8$:$;$D$E$K$V$W$W$[$[$e$h$o$o$o$u$v$v$v$x$x${${
                                  • API String ID: 940440066-1026764690
                                  • Opcode ID: 2eca1e47cefcb902a629483f856c93a8a1cf8f8f31604d41846c2b9a4cd8311b
                                  • Instruction ID: 77b72b40ab8f1096dae875d5d525dae28d7bbb9a6ae7094661ef21702d08ff20
                                  • Opcode Fuzzy Hash: 2eca1e47cefcb902a629483f856c93a8a1cf8f8f31604d41846c2b9a4cd8311b
                                  • Instruction Fuzzy Hash: 05027C2100C7C19AD322DB38884865FBFD55FA7328F480BADF1E55A2E2D7798509C76B
                                  Function 05F262C8 Relevance: .9, Instructions: 884COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c2304d7ecefcabf2c4ffa9e98e7fd85599f76e1338a377d6cdcf36903e8aaa0
                                  • Instruction ID: 5bf1f1975df8503b8275517644df6cd70dcf039d8cf79dfc5d93b8b43fc5a6be
                                  • Opcode Fuzzy Hash: 3c2304d7ecefcabf2c4ffa9e98e7fd85599f76e1338a377d6cdcf36903e8aaa0
                                  • Instruction Fuzzy Hash: 31825BB0A00229DFCB14DF68D994AAEBBF2FF88314F558559E406DB265DB38EC41CB50
                                  Function 0314EC60 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 85 314ec60-314ed14 VirtualProtect 88 314ed16-314ed1c 85->88 89 314ed1d-314ed65 85->89 88->89
                                  APIs
                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0314ED04
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3374413494.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_3140000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 7835a31af2598605b8bf72a3eb5277cc6e18c514abbd81589c46792bf71c9790
                                  • Instruction ID: 56a6c3bf2374c861a09dbc0985c35216fcdaf6c87dd2a7b60c10915237c35f35
                                  • Opcode Fuzzy Hash: 7835a31af2598605b8bf72a3eb5277cc6e18c514abbd81589c46792bf71c9790
                                  • Instruction Fuzzy Hash: F031A8B5D012489FCF10CFA9D980A9EFBB0BF49310F24942AE818B7210D775A945CF64
                                  Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 94 401870-401883 96 4018b2 94->96 97 401885-4018a2 SysAllocString 94->97 98 4018b4-4018b8 96->98 97->98 99 4018a4-4018a6 97->99 100 4018c4-4018c9 98->100 101 4018ba 98->101 99->98 102 4018a8 99->102 101->100 102->96
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3372570356.0000000000401000.00000040.80000000.00040000.00000000.sdmp, Offset: 00401000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_401000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: AllocString
                                  • String ID:
                                  • API String ID: 2525500382-0
                                  • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                  • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                  • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                  • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                  Function 0314EF30 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 103 314ef30-314efbe CloseHandle 106 314efc7-314f009 103->106 107 314efc0-314efc6 103->107 107->106
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 0314EFAE
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3374413494.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_3140000_RegSvcs.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: d2727b04574fc2d11562c3e53be2c1fd105137a6cf8ddc9a0edbbebc057c6428
                                  • Instruction ID: 406699fa829576ec75dd98db0fefba3e32bc1675cc23767e5244e36e6080d592
                                  • Opcode Fuzzy Hash: d2727b04574fc2d11562c3e53be2c1fd105137a6cf8ddc9a0edbbebc057c6428
                                  • Instruction Fuzzy Hash: 5231CBB4D012599FDF14CFA9D980AAEFBB4BF48310F14942AE814B7340C774A801CFA4
                                  Function 05F27390 Relevance: .8, Instructions: 751COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 410 5f27390-5f2787e 485 5f27dd0-5f27de9 410->485 486 5f27884-5f27894 410->486 490 5f283cd-5f283d3 485->490 486->485 487 5f2789a-5f278aa 486->487 487->485 489 5f278b0-5f278c0 487->489 489->485 491 5f278c6-5f278d6 489->491 493 5f284b1-5f284e7 490->493 494 5f283d9-5f283e3 490->494 491->485 492 5f278dc-5f278ec 491->492 492->485 495 5f278f2-5f27902 492->495 505 5f284f6-5f284fa 493->505 506 5f284e9-5f284f4 493->506 494->493 496 5f283e9-5f283f6 494->496 495->485 498 5f27908-5f27918 495->498 496->493 499 5f283fc-5f28427 496->499 498->485 500 5f2791e-5f2792e 498->500 499->493 521 5f2842d-5f28435 499->521 500->485 503 5f27934-5f27944 500->503 503->485 504 5f2794a-5f2795a 503->504 504->485 507 5f27960-5f27dcf 504->507 509 5f2850c 505->509 510 5f284fc-5f2850a 505->510 506->505 513 5f2850e-5f28510 509->513 510->513 515 5f28512-5f28514 513->515 516 5f28516-5f2851e 513->516 515->516 518 5f28520-5f28532 516->518 519 5f28541-5f28543 516->519 518->519 531 5f28534-5f2853f 518->531 522 5f28571-5f28575 519->522 523 5f28545-5f28552 call 5f26f98 519->523 524 5f28437-5f2843d 521->524 525 5f284ac 521->525 530 5f2857d-5f28582 522->530 523->522 533 5f28554-5f28563 523->533 524->490 529 5f2843f-5f28443 524->529 525->493 534 5f284a2-5f284a9 529->534 535 5f28445-5f2844e 529->535 531->519 533->522 541 5f28565-5f2856f 533->541 535->525 537 5f28450-5f28457 535->537 537->534 540 5f28459 537->540 543 5f2845c-5f28464 540->543 541->522 544 5f28466-5f28472 543->544 545 5f28498-5f2849b 543->545 544->493 549 5f28474-5f28490 544->549 545->525 547 5f2849d-5f284a0 545->547 547->534 547->543 549->545
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad79ae68e00d95cd192cdd925fa3ccd5f556a101df1e1257d5c9b0cb7b98815d
                                  • Instruction ID: 3a4b9c69e3f842b7c3b5869322d706392f49c2af838673421227ea0ac78f1daa
                                  • Opcode Fuzzy Hash: ad79ae68e00d95cd192cdd925fa3ccd5f556a101df1e1257d5c9b0cb7b98815d
                                  • Instruction Fuzzy Hash: EA620175E00219CFEB14DBE8C894BDEBB76EF88340F1080A9D60A6B365DE359D419F51
                                  Function 05F280D0 Relevance: .4, Instructions: 401COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 610 5f280d0-5f280fa call 5f28078 614 5f281c3 610->614 615 5f28100-5f28105 610->615 617 5f281c8-5f28207 614->617 615->614 616 5f2810b-5f2812a 615->616 620 5f28173-5f28178 616->620 621 5f2812c-5f28134 616->621 626 5f28209-5f2820c 617->626 627 5f2820f-5f28217 617->627 724 5f2817a call 5f280d0 620->724 725 5f2817a call 5f280bf 620->725 621->614 622 5f2813a-5f2813d 621->622 622->614 625 5f28143-5f28162 622->625 624 5f28180-5f28187 628 5f281b6-5f281c0 624->628 629 5f28189-5f2818f 624->629 625->614 645 5f28164-5f2816a 625->645 626->627 630 5f28219-5f2821f 627->630 631 5f2827f-5f28286 627->631 629->617 632 5f28191-5f281ae 629->632 630->631 636 5f28221-5f28227 630->636 634 5f2838b-5f28394 631->634 635 5f2828c-5f28293 631->635 632->628 638 5f28396-5f2839c 634->638 639 5f2839e-5f283a1 634->639 640 5f28342-5f28348 635->640 641 5f28299-5f282a1 635->641 642 5f284b1-5f284e7 636->642 643 5f2822d-5f2823a 636->643 638->639 646 5f283b8-5f283bc 638->646 647 5f283a7-5f283b5 639->647 648 5f284ac 639->648 640->642 651 5f2834e-5f28358 640->651 641->648 649 5f282a7-5f282b0 641->649 671 5f284f6-5f284fa 642->671 672 5f284e9-5f284f4 642->672 643->642 650 5f28240-5f28251 643->650 645->617 652 5f2816c-5f28170 645->652 654 5f283c2-5f283cb 646->654 655 5f2843f-5f28443 646->655 647->646 648->642 649->642 653 5f282b6-5f282e9 649->653 726 5f28254 call 5f280d0 650->726 727 5f28254 call 5f27390 650->727 728 5f28254 call 5f27380 650->728 729 5f28254 call 5f280bf 650->729 651->642 658 5f2835e-5f2837a 651->658 652->620 696 5f28333-5f28340 653->696 697 5f282eb 653->697 654->655 662 5f283cd-5f283d3 654->662 660 5f284a2-5f284a9 655->660 661 5f28445-5f2844e 655->661 687 5f28382-5f28385 658->687 661->648 665 5f28450-5f28457 661->665 662->642 666 5f283d9-5f283e3 662->666 665->660 669 5f28459 665->669 666->642 670 5f283e9-5f283f6 666->670 678 5f2845c-5f28464 669->678 670->642 679 5f283fc-5f28427 670->679 675 5f2850c 671->675 676 5f284fc-5f2850a 671->676 672->671 673 5f2825a-5f28268 673->648 686 5f2826e-5f28271 673->686 682 5f2850e-5f28510 675->682 676->682 683 5f28466-5f28472 678->683 684 5f28498-5f2849b 678->684 679->642 715 5f2842d-5f28435 679->715 688 5f28512-5f28514 682->688 689 5f28516-5f2851e 682->689 683->642 692 5f28474-5f28490 683->692 684->648 690 5f2849d-5f284a0 684->690 686->648 693 5f28277-5f2827d 686->693 687->634 687->648 688->689 694 5f28520-5f28532 689->694 695 5f28541-5f28543 689->695 690->660 690->678 692->684 693->630 693->631 694->695 710 5f28534-5f2853f 694->710 700 5f28571-5f28575 695->700 701 5f28545-5f28552 call 5f26f98 695->701 696->687 702 5f282ee-5f282f4 697->702 709 5f2857d-5f28582 700->709 701->700 712 5f28554-5f28563 701->712 702->642 703 5f282fa-5f2831b 702->703 703->648 721 5f28321-5f28325 703->721 710->695 712->700 720 5f28565-5f2856f 712->720 715->648 719 5f28437-5f2843d 715->719 719->655 719->662 720->700 721->648 722 5f2832b-5f28331 721->722 722->696 722->702 724->624 725->624 726->673 727->673 728->673 729->673
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d99ced2ceac851983d4c1c976ea6e9c254617679e6bcef8eae5ca341583a8be1
                                  • Instruction ID: 59257f99453e4796820eb3346816dc6cd573f0dbf06c92bb427efef51b20b976
                                  • Opcode Fuzzy Hash: d99ced2ceac851983d4c1c976ea6e9c254617679e6bcef8eae5ca341583a8be1
                                  • Instruction Fuzzy Hash: 17F11DB5E002259FCB04DFA8C998EADBBF6BF88350B198159E515AB361DB34EC41CB50
                                  Function 05F27050 Relevance: .2, Instructions: 205COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1039 5f27050-5f27067 1041 5f27069-5f2707b 1039->1041 1042 5f2707d 1039->1042 1043 5f2707f-5f27081 1041->1043 1042->1043 1045 5f27087-5f27090 1043->1045 1046 5f2715a-5f27160 1043->1046 1045->1046 1049 5f27096-5f270a2 1045->1049 1047 5f27166-5f2716b 1046->1047 1051 5f270a4-5f270b6 1049->1051 1052 5f270b8 1049->1052 1053 5f270ba-5f270bc 1051->1053 1052->1053 1053->1046 1055 5f270c2-5f270cb 1053->1055 1055->1046 1057 5f270d1-5f270f3 1055->1057 1061 5f270f5-5f270f7 1057->1061 1062 5f270f9-5f27117 1057->1062 1061->1047 1065 5f27119-5f2711b 1062->1065 1066 5f2711d-5f27123 1062->1066 1065->1047 1067 5f27125-5f2712c 1066->1067 1068 5f2716c 1066->1068 1069 5f27153-5f27158 1067->1069 1070 5f2712e-5f27135 1067->1070 1071 5f27171-5f271a6 1068->1071 1069->1047 1070->1071 1072 5f27137-5f27143 1070->1072 1077 5f271ae-5f271b6 1071->1077 1075 5f27145-5f27147 1072->1075 1076 5f27149-5f2714c 1072->1076 1075->1047 1076->1068 1078 5f2714e-5f27151 1076->1078 1079 5f271b8-5f271bb 1077->1079 1080 5f271bf-5f271c4 1077->1080 1078->1069 1078->1070 1081 5f271c9-5f271cf 1079->1081 1082 5f271bd-5f2721f 1079->1082 1083 5f27267-5f2726c 1080->1083 1085 5f271d1-5f271d3 1081->1085 1086 5f271fc-5f2720e 1081->1086 1087 5f27221-5f27227 1082->1087 1088 5f27265 1082->1088 1089 5f271d5-5f271db 1085->1089 1090 5f271f8-5f271fa 1085->1090 1097 5f27210-5f27213 1086->1097 1098 5f27216-5f2721b 1086->1098 1092 5f27231 1087->1092 1093 5f27229-5f2722f 1087->1093 1088->1083 1094 5f271e5 1089->1094 1095 5f271dd-5f271e3 1089->1095 1090->1083 1099 5f27237-5f2723d 1092->1099 1093->1099 1096 5f271eb-5f271f0 1094->1096 1095->1096 1096->1090 1097->1098 1098->1083 1100 5f27247 1099->1100 1101 5f2723f-5f27245 1099->1101 1102 5f2724d-5f27250 1100->1102 1101->1102 1103 5f27252-5f27254 1102->1103 1104 5f27256 1102->1104 1105 5f27258-5f2725d 1103->1105 1104->1105 1105->1088
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 818db48d1d139f4dd9fb9d334f9403541eac77e1e69ae3f303489321ca58bd92
                                  • Instruction ID: a4a63946899d37e606538d76ae2b218f09f83eb28d334a11455847b3d0a0275b
                                  • Opcode Fuzzy Hash: 818db48d1d139f4dd9fb9d334f9403541eac77e1e69ae3f303489321ca58bd92
                                  • Instruction Fuzzy Hash: 4861727170A1618FCB14EF7AC894A7A7BEAFF49640705806AE417CB3A1DB38DC018B51
                                  Function 05F2F2D8 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1174 5f2f2d8-5f2f2f9 1175 5f2f300-5f2f336 1174->1175 1176 5f2f2fb 1174->1176 1179 5f2f33f-5f2f366 1175->1179 1176->1175 1181 5f2f4f5-5f2f4fe 1179->1181 1182 5f2f36c-5f2f384 1179->1182 1185 5f2f4a0-5f2f4bb 1182->1185 1187 5f2f4c1-5f2f4e5 1185->1187 1188 5f2f389-5f2f49f 1185->1188 1187->1181 1188->1185
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 006c817d805789adfcdbae6cc7acf4e674aa9d01814289d03d2047451cf1457f
                                  • Instruction ID: 1e3fcbb9d7fcc9ddd7c1a13b4b359db348b6d278f741bd1d1c4baeccf84e080a
                                  • Opcode Fuzzy Hash: 006c817d805789adfcdbae6cc7acf4e674aa9d01814289d03d2047451cf1457f
                                  • Instruction Fuzzy Hash: 4351F174D01218CFDB15DFE5D894AAEBBB2FF88300F208129E806AB395DB796945CF50
                                  Function 05F26E50 Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1206 5f26e50-5f26e60 1207 5f26e62-5f26e67 1206->1207 1208 5f26e6c-5f26e8e 1206->1208 1209 5f26f79-5f26f80 1207->1209 1212 5f26e90-5f26e99 1208->1212 1213 5f26e9b-5f26e9d 1208->1213 1212->1213 1237 5f26e9f call 5f26f98 1213->1237 1238 5f26e9f call 5f26f88 1213->1238 1215 5f26ea5-5f26eae 1216 5f26eb0-5f26ebf 1215->1216 1217 5f26f21-5f26f3f 1215->1217 1220 5f26ec1-5f26ec6 1216->1220 1221 5f26ecb-5f26ed7 1216->1221 1239 5f26f41 call 5f27050 1217->1239 1240 5f26f41 call 5f27040 1217->1240 1220->1209 1226 5f26ed9-5f26edd 1221->1226 1227 5f26edf-5f26ee3 1221->1227 1222 5f26f47-5f26f4b 1224 5f26f51 1222->1224 1225 5f26f4d-5f26f4f 1222->1225 1224->1209 1225->1224 1228 5f26f53-5f26f70 1225->1228 1226->1217 1226->1227 1229 5f26ee5-5f26ee9 1227->1229 1230 5f26f1d-5f26f1f 1227->1230 1228->1209 1231 5f26f03-5f26f14 1229->1231 1232 5f26eeb-5f26f01 1229->1232 1230->1209 1231->1230 1232->1230 1237->1215 1238->1215 1239->1222 1240->1222
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 637c3772aae4773d4325f5f3fae9dd7100e48fd970cc8a2afe457796e4c12f99
                                  • Instruction ID: 3c4d3c8b1bf857c9ab05763ca83a5b91ae6c17c01086ff0fb7912c589429c4ef
                                  • Opcode Fuzzy Hash: 637c3772aae4773d4325f5f3fae9dd7100e48fd970cc8a2afe457796e4c12f99
                                  • Instruction Fuzzy Hash: DA4149B5A041259FCB15DF68D848AAE7BB6FB4C351F104069F906CB3A0DB35DC41CBA1
                                  Function 05F27F18 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1fe78d7ca77550c32f9d28f1d0549bde870bfae46e7385d80adf48b66a35bc5
                                  • Instruction ID: 9ce93f5642e609b2076df08966c79e9b9cbf613fbacf1ce8f652f6cd0591db64
                                  • Opcode Fuzzy Hash: d1fe78d7ca77550c32f9d28f1d0549bde870bfae46e7385d80adf48b66a35bc5
                                  • Instruction Fuzzy Hash: E0318D75B142149FDB04EB68D854AAE7BF6FBCC650F148469E506EB380DF359C02CBA1
                                  Function 05F280BF Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55fbf989cfc7fefb8e98415b01a043ab61eef4a0a89b20cd1b6ba3cb1fc6cc5c
                                  • Instruction ID: f750775308befd9a247f646a4a95350b7ed6a644b669759789dcf9604f1412de
                                  • Opcode Fuzzy Hash: 55fbf989cfc7fefb8e98415b01a043ab61eef4a0a89b20cd1b6ba3cb1fc6cc5c
                                  • Instruction Fuzzy Hash: 96318171E052158FCB04DFADC884AAEBBF6FF88390B248559E515A73A1DB34AC01CB95
                                  Function 05F2F2C9 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b313b73a410e11acee976f376cec469bb731ad1f2fd23e2694690fcc5725947
                                  • Instruction ID: 39053094ab95d64c6d1bc44badfefc424d61b0c03a8f0dc5cff1f5723e9fa0c1
                                  • Opcode Fuzzy Hash: 2b313b73a410e11acee976f376cec469bb731ad1f2fd23e2694690fcc5725947
                                  • Instruction Fuzzy Hash: 283125B4C12328DBDB14DFA4D8957EEBBB6EF49300F508429E805AB240DB78598ACF50
                                  Function 030AD338 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373859130.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30ad000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 948295f61fec8010382857b85f946fbe99da3b6eddda3cd5c7b1f9228f519bdd
                                  • Instruction ID: daf0fbb29bfb695a1b653e27e4819fc258714d8b139fc23b8a680536060788f4
                                  • Opcode Fuzzy Hash: 948295f61fec8010382857b85f946fbe99da3b6eddda3cd5c7b1f9228f519bdd
                                  • Instruction Fuzzy Hash: B9212876505700EFCB05CF98F9D0B2ABFA5FB88714F24C5A9E9090B656C33AD426CB61
                                  Function 030AD600 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373859130.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30ad000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2eda009867d8844a200d3ff7d4aa9ea4aa232450e37f25413e3f5b461a082f8
                                  • Instruction ID: 58b5bb7dcdc0594cfca680dc41fc240979e6b3aff2c6e224952e89ea668d1eb6
                                  • Opcode Fuzzy Hash: b2eda009867d8844a200d3ff7d4aa9ea4aa232450e37f25413e3f5b461a082f8
                                  • Instruction Fuzzy Hash: 502148B2504644DFCB04EF58E9D0B2ABFA5FB88310F2485ADD90D0B616C336D456CAA1
                                  Function 030BD044 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373962240.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30bd000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d95e1fa02a57e7e55b2f616905ae11da3683f2e45b9fa1619e3404a791ee21f6
                                  • Instruction ID: ff78690a2a43cd87ff08daac91d9f67569f9c86abbf54838deb6334f5de920e4
                                  • Opcode Fuzzy Hash: d95e1fa02a57e7e55b2f616905ae11da3683f2e45b9fa1619e3404a791ee21f6
                                  • Instruction Fuzzy Hash: 272134B1504204EFCB14CF24D9C0B6AFBB5FB84314F24C9ADE9090B252C77AD846CB61
                                  Function 030AD333 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373859130.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30ad000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 858f6b5c2d5ffad368346278de96630b207b37df9710273eb049590ae4bf13e2
                                  • Instruction ID: e51dd79d73c32ddcfacb08044464869ece9543b590ff7b5e1ee9647e8d32d670
                                  • Opcode Fuzzy Hash: 858f6b5c2d5ffad368346278de96630b207b37df9710273eb049590ae4bf13e2
                                  • Instruction Fuzzy Hash: 4E219076504644DFCB15CF54E9C4B16BFB1FB84314F28C1A9D9050BA56C33AD466CB91
                                  Function 030AD5FB Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373859130.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30ad000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e33c40d954198949ad8286e652296461c2097b8667bfc91df540e88ec3755ca
                                  • Instruction ID: b449326a50c369977cc5696791d62953bacddeecb9bbc0aaac2dcd58e695cc96
                                  • Opcode Fuzzy Hash: 4e33c40d954198949ad8286e652296461c2097b8667bfc91df540e88ec3755ca
                                  • Instruction Fuzzy Hash: 6F1126B6504684CFCB11DF54E5C0B16BFB2FB84314F28C1A9DC484B616C33AD456CBA1
                                  Function 030BD03F Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373962240.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30bd000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68e7330bde49d684c6ad2cacf2c26c916842cd5046088b57d5613aa190d51f1b
                                  • Instruction ID: ab0836c48071f283ed9a33a2683e5fb42c8f57a8b8e7eda84d3cc61de093f4e6
                                  • Opcode Fuzzy Hash: 68e7330bde49d684c6ad2cacf2c26c916842cd5046088b57d5613aa190d51f1b
                                  • Instruction Fuzzy Hash: 6B118B75504284DFCB15CF14D9C4B55FBB2FB84314F28CAA9D8494B656C33AD44ACF62
                                  Function 030AD006 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373859130.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30ad000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f70b6892c39c1d57ea84bcf3872c8b89ef42ee2e571212606de4656550848d4
                                  • Instruction ID: 9031df52264eee91d891233c5ee4b3646d39e5d1296a953c8fb6a409684ca400
                                  • Opcode Fuzzy Hash: 8f70b6892c39c1d57ea84bcf3872c8b89ef42ee2e571212606de4656550848d4
                                  • Instruction Fuzzy Hash: EF01806140E7C09FD7128B699C94B62BFA8DF43224F0D81CBE9888F593C2685C45D772
                                  Function 030AD01D Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3373859130.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_30ad000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b36c11881774a1528590ec716fc2fac0db1b365d4b9ed8df6a2cd6d73d3be0ac
                                  • Instruction ID: fed6da5672fd52c1ca28f9aca795d1538953865adb79b149616a07ac315b5ea9
                                  • Opcode Fuzzy Hash: b36c11881774a1528590ec716fc2fac0db1b365d4b9ed8df6a2cd6d73d3be0ac
                                  • Instruction Fuzzy Hash: BD01F271406B40DAE7108AADED84F6AFFD8EF41724F0CC45AEE480A682C6B89841D6B1
                                  Function 05F26F98 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 003a98711c73eae4c0bd23b3130a5ef674d022eb48054557552de167be23e7fd
                                  • Instruction ID: 8f1282df17c04e5f2018b8398a4245e187c516296f05cf9079dc3e8cefa28624
                                  • Opcode Fuzzy Hash: 003a98711c73eae4c0bd23b3130a5ef674d022eb48054557552de167be23e7fd
                                  • Instruction Fuzzy Hash: 8DF062717085704B8B259A6E9594A2ABBDEFFCCA953150079F906CB3A5EE64CC01C690
                                  Function 05F26F88 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d79518e5fb50f1c28616b22d073da47d48c3d5786812d7cbc8d8abbe47b99721
                                  • Instruction ID: 2aaa01d0e801194999142fe52fe909c939e9e6c00040ce6c9e0050f25b2abeb4
                                  • Opcode Fuzzy Hash: d79518e5fb50f1c28616b22d073da47d48c3d5786812d7cbc8d8abbe47b99721
                                  • Instruction Fuzzy Hash: 82E0ECB7E0E2645BC7125249BC51756FF15DBCD1B1F150177F50DC7242F809C40441A0
                                  Function 05F27FC5 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3379615718.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_5f20000_RegSvcs.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc8efd64e373af769f76e41bf4da30643d697cf9c7c30794d5de938800b22737
                                  • Instruction ID: 896dfb785490226ae252324f5f082f3a3d32fe1ea02ce2be5d33b4e3c4560388
                                  • Opcode Fuzzy Hash: dc8efd64e373af769f76e41bf4da30643d697cf9c7c30794d5de938800b22737
                                  • Instruction Fuzzy Hash: C0D0673AB10108DFCB059F98E8409DDB7B6FB9C261B048126F915A7260C6319921DB60